Re: Position statement on IKE development

[Henry Spencer <henry@spsystems.net>]

On Thu, 2 Aug 2001, Alex Alten wrote:
> ...Their suggestion to use a process like NIST's for selecting
> the AES standard is an excellent one. It's a pity they did not suggest
> it a decade ago. However it should be considered seriously not only
> for the replacement of IKE, but possibly also for the modification or
> simplification of the entire IPsec protocol suite...

I think this is throwing the baby out with the bathwater.

While the packet-level parts (ESP etc.) do have some flaws, most of those
can be fixed simply by taking a big black pen and crossing out superfluous
parts of the existing specs (e.g., all of RFC 2402).  While there is room
for some debate about exactly which parts should be crossed out (e.g.,
there are people who still think AH is useful), I think there would be
little or no support for redesigning the surviving parts.  So a design
competition does not seem very useful in this area.  Moreover, *this* is
the area where there is massive investment in silicon, solder traces, etc. 
Just deleting features does not, by and large, invalidate that investment.

IKE is the disaster area.  The rest of IPsec could use some judicious
featurectomies, but is not badly broken.

                                                          Henry Spencer
                                                       henry@spsystems.net

---

Follow-Ups:

• Re: Position statement on IKE development
• From: Alex Alten <Alten@home.com>

References:

• Re: Position statement on IKE development
• From: Alex Alten <Alten@home.com>

---

• Prev by Date: Re: Position statement on IKE development
• Next by Date: Re: ipsec design related questions.
• Prev by thread: Re: Position statement on IKE development
• Next by thread: Re: Position statement on IKE development
• Index(es):
  • Main
  • Thread