rgm at ICSA.NET
Thu Jan 27 12:43:32 EST 2000
At 12:37 PM 1/27/2000 +0100, Vasek Petricek wrote:
>Has anyone seen or done some evaluation of the SKIP protocol?
We had quite a few of them for the Montreal IETF meeting ;)
>It seems to differ from IPSec in that it encrypts a packet using a random
>key that is encrypted using a shared secret and sent together with tthe
>packet. Are there any security risks in doing so, or is the overhead
>considered to be too much?
Not quite. SKIP is an alternative Key Management Protocol to IKE or
Photuris. All three establish symetric keying material for IPsec's ESP or AH.
SKIP uses 2 Diffie-Hellman exchanges. The first is based on 'well known'
keys. Since there is a small chance that these keys would be cracked over
time, and if used heavily, they are only used to protect an exchange of a
pair of ephemeral D-Hs that actually supply the IPsec KEYMAT.
SKIP ain't so bad, if you have a single administrative domain (it lacks
many of the fine grain policy controls in IKE). It was this one reason
that I argued against it for VPN usage at the Montreal IETF. I pointed out
to Ashar that, ignoring the violent security debates about SKIP, this lack
would limit SKIP to homogeneous VPN deployments. This has since been born
out by some early adopters that have used SunScreen and Checkpoint's SKIP
Now it WOULD be very nice ot have more than one key exchange protocol for
IPsec, trageted at different community needs. IKE is so complex becuase it
is anything to everyone. Of course, this is part of the reason IKE 'won'.
>Thanks for any information and your opinions,
>VPN is sponsored by SecurityFocus.COM
Fax: (248) 968-2824
rgm at icsa.net
There's no limit to what can be accomplished
if it doesn't matter who gets the credit
VPN is sponsored by SecurityFocus.COM
More information about the VPN