[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simplifying IKE (was RE: Reliable delete notifies)
There was a RIP DOI and an OSPF DOI but they died very quiet deaths.
Secure multicast will require a different key exchange not just a
different DOI.
The goals were grand-- generic transport on which a generic key exchange
is written which has DOIs for specific security services, you can plug in
different key exchanges and/or make the key exchange work for multiple
services-- but the reality is otherwise. In fact, the complication of having
three documents (which are not all in sync) has lead many to scream and
run away in horror when the subject of IKE comes up. Remember DOCSIS, Jan?
Heck, look at the KKMP/KINK archives for a discussion on the evils of IKE.
Wouldn't a key exchange just for IPsec be better? It seems to me that
the features that were supposed to attract other people to using IKE have
had the exactly opposite effect.
Dan.
On Fri, 13 Oct 2000 16:49:36 PDT you wrote
> On Thu, 12 Oct 2000, Shriver, John wrote:
>
> > There are other key exchanges (and domains of interpretation) defined over
> > ISAKMP. However, they are apparently classified. At least it lets us know
> > that the spooks trust ISAKMP. (After all, they designed it.)
> >
> I've been thinking (not too hard, though) about an snmpv3 DOI, and I know the
> secure-multicast folks were talking about a separate DOI for multicast keying
> as well...
>
> It's not ALL classified ;)
>
> jan
> --
> Jan Vilhuber vilhuber@cisco.com
> Cisco Systems, San Jose (408) 527-0847
>
Follow-Ups:
References: