Re: Re draft-kaufman-ipsec-improveike-00.txt

[Jari Arkko <jari.arkko@piuha.net>]

Jan Vilhuber wrote:

 > 
 > I suggest we work on more than one keying mechanism. Each one should be
 > simple and should be tailored to one type of environment (the VPN space is
 > afterall very different from the core-network environment). Different people
 > will have different requirements, too. 

I support this idea. A particular example comes to my mind: cellular systems
for instance typically have long delay times and propably want to make
the tradeoff of less roundtrips against e.g. PFS/identity 
protection/some DoS
holes. In some environments, some of the lost features would be your
most important ones. Conflicts like this will lead to an incredible shouting
contest when Son-of-IKE is being designed. It is important to understand
that there are conflicting requirements.

(On the other hand, I'm not fully convinced that completely separate 
protocols
are needed. Starting from scratch, it might be possible to have a cleaner
design that separates various protocol functionalities better. For instance,
servers that are under a DoS attack might respond to all key management
requests that "no, you have to run the 
DoS-preventing-puzzle-solving-protocol
first".)

Jari

---

Follow-Ups:

• Re: Re draft-kaufman-ipsec-improveike-00.txt
• From: Henry Spencer <henry@spsystems.net>

References:

• Re: Re draft-kaufman-ipsec-improveike-00.txt
• From: Jan Vilhuber <vilhuber@cisco.com>

---

• Prev by Date: RE: IKE must have no Heirs
• Next by Date: RE: IKE must have no Heirs
• Prev by thread: Re: Re draft-kaufman-ipsec-improveike-00.txt
• Next by thread: Re: Re draft-kaufman-ipsec-improveike-00.txt
• Index(es):
  • Main
  • Thread