[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Phase 1 Re-keying Implementation Identification



Michael Richardson wrote:
>   So, my opinion is that everyone is right. (That should make me popular)

Yes, you're a popular guy. I'd like to draw attention to something that
has been alluded to by both Dan and Tero, but that seems to be missed in
the chatter. Nobody here is advocating the wholesale disposal of phase 1
SAs after phase 2 is negotiated. I think we all agree that they remain
useful under many circumstances. I think the point is that there is no
requirement that the phase 1 SA remains. This doesn't mean that it won't
under most circumstances, but only that it is not required to do so. 

Adding a "continuous mode" means adding a requirement that the phase 1
SA remain as long as there are related phase 2 SAs. This requires
changing the behavior of everyone's IKE implementation (even if they do
not implement it), as Dan noted; it has architectural implications, as I
noted; and it has other implications, as Tero noted. I guess the
question before us is, what is the case for modifying everyone's IKE
implementation? That is, what are the benefits if we do vs. what are the
costs if we do not? So far, I don't think that a convincing case has
been made for the requested modifications.

Scott


References: