[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simplifying IKE (was RE: Reliable delete notifies)
On Fri, 13 Oct 2000, Dan Harkins wrote:
> There was a RIP DOI and an OSPF DOI but they died very quiet deaths.
> Secure multicast will require a different key exchange not just a
> different DOI.
>
I believe they managed to reuse phase 1 and define a different phase 2.
There's a draft out, I think, but I'm not very involved in this work.
> The goals were grand-- generic transport on which a generic key exchange
> is written which has DOIs for specific security services, you can plug in
> different key exchanges and/or make the key exchange work for multiple
> services-- but the reality is otherwise. In fact, the complication of having
> three documents (which are not all in sync) has lead many to scream and
> run away in horror when the subject of IKE comes up.
Yes, including me when I first had to read them ;) But I still think it's
worthwhile.
> Remember DOCSIS, Jan?
Not really. I wasnt involved in DOCSIS (unless you mean packetcable).
> Heck, look at the KKMP/KINK archives for a discussion on the evils of IKE.
>
> Wouldn't a key exchange just for IPsec be better? It seems to me that
> the features that were supposed to attract other people to using IKE have
> had the exactly opposite effect.
>
There's middle-ground, I think...
jan
> Dan.
>
> On Fri, 13 Oct 2000 16:49:36 PDT you wrote
> > On Thu, 12 Oct 2000, Shriver, John wrote:
> >
> > > There are other key exchanges (and domains of interpretation) defined over
> > > ISAKMP. However, they are apparently classified. At least it lets us know
> > > that the spooks trust ISAKMP. (After all, they designed it.)
> > >
> > I've been thinking (not too hard, though) about an snmpv3 DOI, and I know the
> > secure-multicast folks were talking about a separate DOI for multicast keying
> > as well...
> >
> > It's not ALL classified ;)
> >
> > jan
> > --
> > Jan Vilhuber vilhuber@cisco.com
> > Cisco Systems, San Jose (408) 527-0847
> >
>
--
Jan Vilhuber vilhuber@cisco.com
Cisco Systems, San Jose (408) 527-0847
References: