[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE (was RE: Reliable delete notifies)



On Fri, 13 Oct 2000, Dan Harkins wrote:

>   There was a RIP DOI and an OSPF DOI but they died very quiet deaths.
> Secure multicast will require a different key exchange not just a
> different DOI.
> 
I believe they managed to reuse phase 1 and define a different phase 2.
There's a draft out, I think, but I'm not very involved in this work.

>   The goals were grand-- generic transport on which a generic key exchange
> is written which has DOIs for specific security services, you can plug in
> different key exchanges and/or make the key exchange work for multiple
> services-- but the reality is otherwise. In fact, the complication of having
> three documents (which are not all in sync) has lead many to scream and
> run away in horror when the subject of IKE comes up.

Yes, including me when I first had to read them ;) But I still think it's
worthwhile.

> Remember DOCSIS, Jan? 

Not really. I wasnt involved in DOCSIS (unless you mean packetcable).

> Heck, look at the KKMP/KINK archives for a discussion on the evils of IKE. 
> 
>   Wouldn't a key exchange just for IPsec be better? It seems to me that
> the features that were supposed to attract other people to using IKE have
> had the exactly opposite effect. 
> 
There's middle-ground, I think...

jan


>   Dan.
> 
> On Fri, 13 Oct 2000 16:49:36 PDT you wrote
> > On Thu, 12 Oct 2000, Shriver, John wrote:
> > 
> > > There are other key exchanges (and domains of interpretation) defined over
> > > ISAKMP.  However, they are apparently classified.  At least it lets us know
> > > that the spooks trust ISAKMP.  (After all, they designed it.)
> > > 
> > I've been thinking (not too hard, though) about an snmpv3 DOI, and I know the
> > secure-multicast folks were talking about a separate DOI for multicast keying
> > as well...
> > 
> > It's not ALL classified ;)
> > 
> > jan
> >  --
> > Jan Vilhuber                                            vilhuber@cisco.com
> > Cisco Systems, San Jose                                     (408) 527-0847
> > 
> 

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847



References: