[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call for IPSEC

To: Lewis McCarthy <lmccarth@cs.umass.edu>
Subject: Re: Last Call for IPSEC
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Thu, 09 Apr 1998 13:30:49 -0700
CC: Peter Ford <peterf@microsoft.com>, iesg@ietf.org, ipsec@tis.com
Organization: RedCreek Communications
References: <8D8EF175E72CD111805800805F3198EE03925D67@red-msg-46.dns.microsoft.com> <352D1160.446B@cs.umass.edu>
Sender: owner-ipsec@ex.tis.com

Lewis McCarthy wrote:
> 
> Peter Ford writes:
> > 3) calling anything the Internet
> > Key Exchange (IKE) should not happen since there are many Internet Key
> > Exchanges going on in the Internet today and several are being standardized
> > by Internet working groups(e.g TLS).
> 
> Until now I didn't realize you were raising this as a serious objection.
> To my ear, calling the key exchange for the "Internet Protocol" the "Internet
> Key Exchange" makes the terminology nicely consistent. 

...and therein lies the flaw: it is not 'the' key exhange for IP, it's
'a' key exchange, of which there are many others.

<snip...>

The initial assessment (in my view) is correct: IKE is too broad, and
perhaps even misleading. This nibbles around the corners of a larger
problem which I'm surprised no one has mentioned. ISAKMP is the base
protocol within which key exchange takes place. However, it is NOT
strictly a key-exchange protocol. In fact, it is primarily a SA
management protocol, of which key exchange is one component. The point
is, ISAKMP is the protocol here, not IKE.

ISAKMP is designed to accept key-exchange plug-ins. This makes ISAKMP a
well-designed protocol, in that if we find flaws with the key-exchange
component, it may be replaced without designing an entirely new
protocol. This seems quite reasonable to anticipate, given the relative
dearth of practical operating experience in this frontier.

The IKE document proposes an instantiation of a key-exchange plug-in,
and describes (for purposes of clarity) the entire conglomeration of the
plug-in and the base component in one document, and there now seems to
be this general notion that this is the new ISAKMP, and that (the old)
ISAKMP is now irrelevant. What happens if we find a flaw with the key
exchange portion of the conglomerate? What do we call the next iteration
(if there is one)? The 'Better Internet Key Exchange'?? The 'Second
Internet Key Exchange'? 

I would suggest that the title of the document convey the actual
document contents. It was called 'The resolution of ISAKMP with Oakley'.
Perhaps it should be called something like 'The Oakley Key Exchange for
ISAKMP', which more accurately describes it than the current title.

Follow-Ups:

Re: Last Call for IPSEC

From: Lewis McCarthy <lmccarth@cs.umass.edu>

Re: Last Call for IPSEC

From: Daniel Harkins <dharkins@cisco.com>

Re: Last Call for IPSEC

From: Robert Moskowitz <rgm-sec@htt-consult.com>

References:

Last Call for IPSEC

From: Peter Ford <peterf@microsoft.com>

Re: Last Call for IPSEC

From: Lewis McCarthy <lmccarth@cs.umass.edu>

Prev by Date: Re: [ipsec] FW: Key Recovery
Next by Date: Re: FW: Key Recovery
Prev by thread: Re: Last Call for IPSEC
Next by thread: Re: Last Call for IPSEC
Index(es):
- Main
- Thread