Re: Position statement on IKE development

[Bill Sommerfeld <sommerfeld@East.Sun.COM>]

> As a newcomer to IPSec field (but not to the IETF) one of the things that
> continues the amaze me is the deliberate effort that has been made to create
> a wall between IKE and IPSEC. 

Well, this is a good thing -- it means that if you get IKE wrong, it
can be replaced without having to toss the rest of the architecture.

The solaris implementation is structured specifically to allow for
this; we're extending PF_KEY and adding a PF_POLICY to allow for a
strong separation of concerns between packet protection policy, packet
protection mechanisms, and key management.

This is one of the reasons why we (me and my fellow implementors here)
don't want any ipsra authentication/cert provisioning protocols
running on port 500..

> Therefore, I would suggest that any effort in replacing IKE also consider
> replacing/rewriting portions of IPSEC DOI ...

Last I heard, the son-of-ike plan was to merge the DOI into the key
mgmt document.

I think we also need a better-defined interface between 2401 and the
KM protocol...

					- Bill

---

Follow-Ups:

• Re: Position statement on IKE development
• From: Henry Spencer <henry@spsystems.net>

References:

• RE: Position statement on IKE development
• From: Bora Akyol <akyol@allegrosys.com>

---

• Prev by Date: Another paper analyzing IKE
• Next by Date: Re: Position statement on IKE development
• Prev by thread: RE: Position statement on IKE development
• Next by thread: Re: Position statement on IKE development
• Index(es):
  • Main
  • Thread