[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call for IPSEC

To: "Scott G. Kelly" <skelly@redcreek.com>
Subject: Re: Last Call for IPSEC
From: Lewis McCarthy <lmccarth@cs.umass.edu>
Date: Thu, 09 Apr 1998 17:52:17 -0400
CC: Peter Ford <peterf@microsoft.com>, iesg@ietf.org, ipsec@tis.com
Organization: UMass-Amherst Theoretical Computer Science Group, <http://www.cs.umass.edu/~thtml/>
References: <8D8EF175E72CD111805800805F3198EE03925D67@red-msg-46.dns.microsoft.com> <352D1160.446B@cs.umass.edu> <352D2FF9.C3530302@redcreek.com>
Sender: owner-ipsec@ex.tis.com

Scott G. Kelly writes:
> ...and therein lies the flaw: it is not 'the' key exhange for IP, it's
> 'a' key exchange, of which there are many others.

There are certainly other key exchanges defined for IP, but AFAIK the
IETF is only standardizing this one as the key exchange protocol for IP
security. If Photuris or SKIP were continuing in the IETF standards
process then I would agree that the name "IKE" would be inappropriate.

[...elided...]
> The IKE document proposes an instantiation of a key-exchange plug-in,
> and describes (for purposes of clarity) the entire conglomeration of the
> plug-in and the base component in one document, and there now seems to
> be this general notion that this is the new ISAKMP, and that (the old)
> ISAKMP is now irrelevant. 

As you say, IKE = ISAKMP + Oakley + other_stuff (e.g. some pieces of SKEME),
and we may need to switch to ISAKMP + something_else in the future. 
Endowing the conglomeration with a single new name such as "IKE" is clearer
IMHO than referring to it in terms of both "ISAKMP" and "Oakley". Anyone
who reads as far as the abstract will understand that IKE is a synthesis of
several protocols. I believe the title is easier to grasp if it doesn't
enumerate all those other protocols.

"1. Abstract

   "[MSST98] (ISAKMP) provides a framework for authentication and key
   exchange but does not define them.  ISAKMP is designed to be key
   exchange independant; that is, it is designed to support many
   different key exchanges.

   "[Orm96] (Oakley) describes a series of key exchanges-- called
   "modes"-- and details the services provided by each (e.g. perfect
   forward secrecy for keys, identity protection, and authentication).

   "[Kra96] (SKEME) describes a versatile key exchange technique which
   provides anonymity, repudiability, and quick key refreshment.

   "This document describes a protocol using part of Oakley and part of
   SKEME in conjunction with ISAKMP to obtain authenticated keying
   material for use with ISAKMP, and for other security associations
   such as AH and ESP for the IETF IPsec DOI."

> What happens if we find a flaw with the key
> exchange portion of the conglomerate? What do we call the next iteration
> (if there is one)? The 'Better Internet Key Exchange'?? The 'Second
> Internet Key Exchange'?

Since we have "IPv4" and "IPv6", it would seem entirely reasonable to me
to have, say, "IKE" and "IKEv2". I admit that your acronyms are more
appealing, though. :-)

-Lewis

References:

Last Call for IPSEC

From: Peter Ford <peterf@microsoft.com>

Re: Last Call for IPSEC

From: Lewis McCarthy <lmccarth@cs.umass.edu>

Re: Last Call for IPSEC

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: Re: ESP Pad byte changes
Next by Date: Re: Last Call for IPSEC
Prev by thread: Re: Last Call for IPSEC
Next by thread: Re: Last Call for IPSEC
Index(es):
- Main
- Thread