[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call for IPSEC
Scott G. Kelly writes:
> ...and therein lies the flaw: it is not 'the' key exhange for IP, it's
> 'a' key exchange, of which there are many others.
There are certainly other key exchanges defined for IP, but AFAIK the
IETF is only standardizing this one as the key exchange protocol for IP
security. If Photuris or SKIP were continuing in the IETF standards
process then I would agree that the name "IKE" would be inappropriate.
[...elided...]
> The IKE document proposes an instantiation of a key-exchange plug-in,
> and describes (for purposes of clarity) the entire conglomeration of the
> plug-in and the base component in one document, and there now seems to
> be this general notion that this is the new ISAKMP, and that (the old)
> ISAKMP is now irrelevant.
As you say, IKE = ISAKMP + Oakley + other_stuff (e.g. some pieces of SKEME),
and we may need to switch to ISAKMP + something_else in the future.
Endowing the conglomeration with a single new name such as "IKE" is clearer
IMHO than referring to it in terms of both "ISAKMP" and "Oakley". Anyone
who reads as far as the abstract will understand that IKE is a synthesis of
several protocols. I believe the title is easier to grasp if it doesn't
enumerate all those other protocols.
"1. Abstract
"[MSST98] (ISAKMP) provides a framework for authentication and key
exchange but does not define them. ISAKMP is designed to be key
exchange independant; that is, it is designed to support many
different key exchanges.
"[Orm96] (Oakley) describes a series of key exchanges-- called
"modes"-- and details the services provided by each (e.g. perfect
forward secrecy for keys, identity protection, and authentication).
"[Kra96] (SKEME) describes a versatile key exchange technique which
provides anonymity, repudiability, and quick key refreshment.
"This document describes a protocol using part of Oakley and part of
SKEME in conjunction with ISAKMP to obtain authenticated keying
material for use with ISAKMP, and for other security associations
such as AH and ESP for the IETF IPsec DOI."
> What happens if we find a flaw with the key
> exchange portion of the conglomerate? What do we call the next iteration
> (if there is one)? The 'Better Internet Key Exchange'?? The 'Second
> Internet Key Exchange'?
Since we have "IPv4" and "IPv6", it would seem entirely reasonable to me
to have, say, "IKE" and "IKEv2". I admit that your acronyms are more
appealing, though. :-)
-Lewis
References: