[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simplifying IKE (was RE: Reliable delete notifies)
On 13 Oct 00, at 2:47, Richard Guy Briggs wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> On Fri, Oct 13, 2000 at 09:46:27AM +0400, Valery Smyslov wrote:
> > On 12 Oct 00, at 19:06, Henry Spencer wrote:
> > > On Thu, 12 Oct 2000, Mark Baugher wrote:
> > > > >Realistically, anyone designing a new key-management protocol would have
> > > > >to be out of his mind to base it on ISAKMP.
> > > >
> > > > Why?
> > >
> > > Because it's grossly complex, badly designed, and poorly documented.
> > > It doesn't do enough for you to be worth the trouble.
> >
> > Please, suggest an alternative.
>
> Photuris. See OpenBSD.org
I know it well and I like it (especially its true stateless cookies).
However, it is not a real alternative to ISAKMP. It may be considered
as an alternative to IKE (as an "instantiation" of ISAKMP), but not
to ISAKMP itself. Even comparing to IKE, Photuris (despite some
really good things that it has), IMHO, suffers from the lack of
extensibility and flexibility. Photuris demonstrates a good solid
design, but any attempt to add something substantially different to
the protocol may lead to its collapse.
Any more suggestions (please, do not mention SKIP or HIP)?
Regards,
Valery Smyslov.
> > > Henry Spencer
> >
> > Regards,
> > Valery Smyslov.
>
> slainte mhath, RGB
> - --
> Richard Guy Briggs -- PGP key available Auto-Free Ottawa! Canada
> <www.conscoop.ottawa.on.ca/rgb/> <www.flora.org/afo/>
> Prevent Internet Wiretapping! -- FreeS/WAN:<www.freeswan.org>
> Thanks for voting Green! -- <green.ca> Marillion:<www.marillion.co.uk>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3i
> Charset: noconv
>
> iQCVAwUBOeawFN+sBuIhFagtAQHTSAQAj112Ii63nKpKkXC6lRNCOMYSG3nHQvcY
> heUS5I4NmSgKTBRdIjkT4NMbq6DW4XnkhJFYOo4UpRbRmKkTXoazFYbnNB1bKLan
> dZxmANlxEPw4Dny2qMraOfZnjA3V4uFhu3CNqlnraQTTe7J7UCQnG0JmAsJ97tzg
> LAKk5mAyuQg=
> =Gwdu
> -----END PGP SIGNATURE-----
>
Follow-Ups:
References: