[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Q about SA bundles
>If the current ISAMKP is to be used, what you suggest (complex ACQUIRE
>with conjuctive offers) does become necessary. The current ISKAMP and
>PFKEY v2 do not work together. And, of course, my point is: ISAMKP
>should adjust, not the PFKEY v2.
Let me get this straight: You're suggesting that we "adjust" the over-
the-wire protocol - a protocol which, by the way, has been successfully
tested for interoperability and which has been fielded all over the
world - just because some internal API does things differently?
Why don't we go and "adjust" the order of the source and destination
addresses in the IPv4 header while we're at it? After all, some
router implementations might be faster if they didn't have to look
as far in the packet header for the destination address.
I'm sorry if this sounds harsh. I don't really want it to be so
harsh, but I just don't have any better way of making the point
I'm trying to make here. The IKE (and IPSEC) protocols as they
stand now are the product of *years* of debate. A lot of compromises
had to be made along the way. But the end result is a protocol that
does work, and that does solve real-world problems. If it were a
couple years ago, when we were still hashing out the key management
protocol details, then maybe this would be the right time to be
discussing it as an issue. But that time is long past now.
And even if we were still debating the protocol, I'd have to agree
with Dan. If you want to do AH and ESP at the same time, then that's
what you should say. The protocol is capable of expressing that
unambiguously, as two proposals joined together with the same proposal
number. If you want to do just ESP, or just AH, then state it that
way.
-Shawn Mamros
E-mail to: smamros@BayNetworks.com