[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ISAKMP at other layers (was RE: eliminate AH)

To: ipsec@tis.com
Subject: ISAKMP at other layers (was RE: eliminate AH)
From: dpkemp@missi.ncsc.mil (David P. Kemp)
Date: Fri, 23 May 1997 12:51:53 -0400
Sender: owner-ipsec@ex.tis.com

> From: "Waterhouse, Richard" <Richard.Waterhouse@gsc.gte.com>
> 
> >We have at least 4 Working Groups creating their own security protocols,
> >
> >Nonetheless, we are way past our deadlines, and people *are* going to get
> >fed up and do it themselves if we don't shape up.
> >
> >The popularity of SSH, SSL, PPTP, etc. are all because of RUNNING CODE. 
> 
> >>> ISAKMP is supposed to be for more general use than just negotiating IP
> security. Yet I can detect no trace of any effort to coordinate its
> use it with any of the other Internet security mechanisms. Is there
> any such effort underway that is simply not visible to me ?


There is just more than a trace of effort at this point :-).

The use of ISAKMP as the TLS key establishment mechanism was discussed as
far back as the very first TLS WG meeting.  But at that time the IPSEC WG
was deep into KMP battles, first with Photuris, then with SKIP.  There
was not (and still is not) a referenceable RFC for ISAKMP, and little
experience with running code.

By contrast, the SSL v2 key negotiation mechanism (the "handshake layer")
was already widely deployed, and the lessons learned from v2 were applied
in the design of SSL v3, the baseline for TLS.

Now that the TLS working group is about to publish TLS 1.0, the schedule
pressure is off and a little more thought can be given to designing
TLS 1.1 and beyond.  The TLS discussions in Memphis included accommodating
the needs of SSH, and enabling/migrating to the use of ISAKMP.  This is
just at the discussion stage, and there is certainly no consensus on what
specifically needs to be done, but there is a faction that believes that
the IETF should have a single KMP suitable for use at all network layers,
reducing the need for security analyses for each different network protocol,
and enabling new features/requirements to be designed and defined once and
then reused for multiple protocols.

Rather than having the IPSEC WG attempt to push ISAKMP out to other
applications, it would be more effective for the other working groups
to attempt to pull ISAKMP in.  If there is a protocol you are particularly
interested in, go to it's WG and speak up.

Prev by Date: Re: eliminate AH
Next by Date: Re: eliminate AH
Prev by thread: Re: eliminate AH
Next by thread: IPSEC AH -- document
Index(es):
- Main
- Thread