[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Agenda for the Minneapolis meeting
Hi Dan,
>From a philosophical perspective I understand your point of not wanting
protocols to share a port. But I should point out that the Group DOI
doesn't have the SA payload problem you mention. It doesn't specify a
new phase 1 protocol -- the SA payload process and construct code is the
same code. When phase 1 has completed it determines whether to run IKE
phase 1 or GDOI is based on a trivial switch (using the DOI value) in
the state machine. Putting GDOI onto its own port would just remove that
switch.
Will Son-of-IKE have a new port number, since it will be a different
protocol from RFC 2409?
Brian
Dan Harkins wrote:
>
> Can you be more specific on the danger?
>
> One problem I see with not combining the two is the trend to use
> UDP port 500 as a place to multiplex in different protocols. That is
> a bad thing, in my opinion. If MSEC wants to do a group DOI they should
> find a different port to do a multicast key exchange on. Part of this
> problem is compounded by the design of the SA payload in ISAKMP. The
> DOI is _inside_ the SA payload. So if there are multiple protocols
> all communicating on UDP port 500 you have to start parsing a payload
> before you find out the context under which you should parse it. Whoa!
> I think it is insane to not merge the two. We should dissuade people
> from this bad practice while things like kink and gdoi are still at
> internet-draft stage.
>
> Dan.
>
> On Thu, 15 Mar 2001 14:04:35 EST you wrote
> >
> > I still think removing the distinction between IKE and ISAKMP is very
> > dangerous. We are only now beginning to see the benefits of separating the
> > two. With work in progress on areas like MSEC, SMPLS, Tero's KINK draft,
> > Jari's MAP DOI, I think we would be insane to merge the protocol layers at
> > this point in the game
> >
> > Andrew
References: