RE: Agenda for the Minneapolis meeting

["Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>]

Dan, I think you are right about what you said concerning not reusing port
500, however that wasn't what I was thinking of.

Right now, we have a division between payload formats, exchange types, and
the DOI. This is a huge advantage if you are trying to write a new security
protocol which is closely related to IKE. In many cases you only need to
define a new DOI. Perhaps you only need a new exchange type or a new payload
format. It really helps to break the problem down into its subcomponents.

If there is a flaw in ISAKMP, it is that it both defines the payload formats
and explains how to design a security protocol. The former is a useful
reference, whereas the latter part is something you read mostly as
background material. In fact, this is where most of the overlap with the IKE
RFC occurs. Maybe some of the information on packet processing and protocol
design should be moved into a separate document or incorporated into the new
IKE document.

I would be more inclined to separate the problem space into 4 or 5 shorter
RFCs depending on factors like mutability, target audience, and value as an
implementor's reference.

Example (apologies if this wraps on your display):

area                 currently k.a.      audience      referenced
mutability
------------------  ------------------  ------------  ------------  --------
---
Protocol Design      ISAKMP throughout   integrator    rare          n/a
Defn of Payloads     ISAKMP middle       implementor   frequent      rare
DOI                  DOI                 implementor   frequent
frequent
Negotiation          IKE + ISAKMP end    all           frequent
moderate
Security Properties  list archives       all           rare
moderate

Andrew
-------------------------------------------
Upon closer inspection, I saw that the line
dividing black from white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.


> -----Original Message-----
> From: Dan Harkins [mailto:dharkins@cips.nokia.COM]
> Sent: Thursday, March 15, 2001 2:22 PM
> To: andrew.krywaniuk@alcatel.com
> Cc: 'Scott Fanning'; Mike_Borella@3com.com; ipsec@lists.tislabs.com
> Subject: Re: Agenda for the Minneapolis meeting
>
>
>   Can you be more specific on the danger?
>
>   One problem I see with not combining the two is the trend to use
> UDP port 500 as a place to multiplex in different protocols. That is
> a bad thing, in my opinion. If MSEC wants to do a group DOI
> they should
> find a different port to do a multicast key exchange on. Part of this
> problem is compounded by the design of the SA payload in ISAKMP. The
> DOI is _inside_ the SA payload. So if there are multiple protocols
> all communicating on UDP port 500 you have to start parsing a payload
> before you find out the context under which you should parse it. Whoa!
> I think it is insane to not merge the two. We should dissuade people
> from this bad practice while things like kink and gdoi are still at
> internet-draft stage.
>
>   Dan.
>
> On Thu, 15 Mar 2001 14:04:35 EST you wrote
> >
> > I still think removing the distinction between IKE and
> ISAKMP is very
> > dangerous. We are only now beginning to see the benefits of
> separating the
> > two. With work in progress on areas like MSEC, SMPLS,
> Tero's KINK draft,
> > Jari's MAP DOI, I think we would be insane to merge the
> protocol layers at
> > this point in the game
> >
> > Andrew
>

---

References:

• Re: Agenda for the Minneapolis meeting
• From: Dan Harkins <dharkins@cips.nokia.COM>

---

• Prev by Date: Re: Agenda for the Minneapolis meeting
• Next by Date: RE: Agenda for the Minneapolis meeting
• Prev by thread: Re: Agenda for the Minneapolis meeting
• Next by thread: Re: Agenda for the Minneapolis meeting
• Index(es):
  • Main
  • Thread