[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Position statement on IKE development
I discussed this in Minneapolis. The plan is to combine ISAKMP, IKE,
and the IPsec DOI into a single draft describing a key management
protocol for IPsec.
The intent, as well-meaning as it was, was to have a generic language
(ISAKMP) in which to describe a key management protocol and there could
be many key management protocols with IKE as just one of them. IKE, then,
was supposed to be a generic key exchange protocol which could create
"SAs" for multiple services, of which IPsec (specified in the DOI) was
just one. But IKE is the only thing that used ISAKMP and the other two
DOI documents-- OSPF and RIP-- died a quiet death.
The benefit of having this artificial layering is nil and the cost
(the nuisance factor you mention, the conflicting verbage, the unnecessary
repetition of things, the incredible complexity it causes) is high so
it is being done away with. There should be only one thing that listens
on UDP port 500 and that is a key management protocol for IPsec which
should be described in a (relatively) short and concise draft. I'm
working on it.
Dan.
On Fri, 03 Aug 2001 15:29:09 EDT Henry Spencer wrote
> On Fri, 3 Aug 2001, Bill Sommerfeld wrote:
> > > Therefore, I would suggest that any effort in replacing IKE also consider
> > > replacing/rewriting portions of IPSEC DOI ...
> >
> > Last I heard, the son-of-ike plan was to merge the DOI into the key
> > mgmt document.
>
> Realistically, there's no meaningful distinction between IKE and the DOI.
> In fact, the separation between the two documents is a real nuisance when
> one is looking for obscure details. They need to be considered as a unit.
>
> Henry Spencer
> henry@spsystems.net
Follow-Ups:
References: