[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call for IPSEC

To: "Scott G. Kelly" <skelly@redcreek.com>
Subject: Re: Last Call for IPSEC
From: Daniel Harkins <dharkins@cisco.com>
Date: Thu, 09 Apr 1998 15:27:57 -0700
Cc: Lewis McCarthy <lmccarth@cs.umass.edu>, Peter Ford <peterf@microsoft.com>, iesg@ietf.org, ipsec@tis.com
In-Reply-To: Your message of "Thu, 09 Apr 1998 13:30:49 PDT." <352D2FF9.C3530302@redcreek.com>
Sender: owner-ipsec@ex.tis.com

  The "flaw"? The name is a flaw? 

  Please tell me your opinion on The Point-to-Point Tunneling Protocol.
There are others, and some would say better ones, yet no one claims that 
PPTP is flawed because of its name. And no one is upset at the broadness 
of it's claim to be _The_ Point-to-Point Tunneling Protocol.

  The problem of the conglomeration of a plug-in? If there was any doubt
anywhere that the IPSec WG was finished, I hope this rediculous discussion
dispells it. 

  Dan.

> Lewis McCarthy wrote:
> > 
> > Peter Ford writes:
> > > 3) calling anything the Internet
> > > Key Exchange (IKE) should not happen since there are many Internet Key
> > > Exchanges going on in the Internet today and several are being standardized
> > > by Internet working groups(e.g TLS).
> > 
> > Until now I didn't realize you were raising this as a serious objection.
> > To my ear, calling the key exchange for the "Internet Protocol" the "Internet
> > Key Exchange" makes the terminology nicely consistent. 
> 
> ...and therein lies the flaw: it is not 'the' key exhange for IP, it's
> 'a' key exchange, of which there are many others.
> 
> <snip...>
> 
> The initial assessment (in my view) is correct: IKE is too broad, and
> perhaps even misleading. This nibbles around the corners of a larger
> problem which I'm surprised no one has mentioned. ISAKMP is the base
> protocol within which key exchange takes place. However, it is NOT
> strictly a key-exchange protocol. In fact, it is primarily a SA
> management protocol, of which key exchange is one component. The point
> is, ISAKMP is the protocol here, not IKE.
> 
> ISAKMP is designed to accept key-exchange plug-ins. This makes ISAKMP a
> well-designed protocol, in that if we find flaws with the key-exchange
> component, it may be replaced without designing an entirely new
> protocol. This seems quite reasonable to anticipate, given the relative
> dearth of practical operating experience in this frontier.
> 
> The IKE document proposes an instantiation of a key-exchange plug-in,
> and describes (for purposes of clarity) the entire conglomeration of the
> plug-in and the base component in one document, and there now seems to
> be this general notion that this is the new ISAKMP, and that (the old)
> ISAKMP is now irrelevant. What happens if we find a flaw with the key
> exchange portion of the conglomerate? What do we call the next iteration
> (if there is one)? The 'Better Internet Key Exchange'?? The 'Second
> Internet Key Exchange'? 
> 
> I would suggest that the title of the document convey the actual
> document contents. It was called 'The resolution of ISAKMP with Oakley'.
> Perhaps it should be called something like 'The Oakley Key Exchange for
> ISAKMP', which more accurately describes it than the current title.

Follow-Ups:

Re: Last Call for IPSEC

From: "Scott G. Kelly" <skelly@redcreek.com>

References:

Re: Last Call for IPSEC

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: Re: Last Call for IPSEC
Next by Date: Re: Last Call for IPSEC
Prev by thread: Re: Last Call for IPSEC
Next by thread: Re: Last Call for IPSEC
Index(es):
- Main
- Thread