[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE must have no Heirs

To: Alex Alten <Alten@home.com>
Subject: Re: IKE must have no Heirs
From: Dan Harkins <dharkins@lounge.org>
Date: Tue, 07 Aug 2001 07:23:14 -0700
Cc: Kory Hamzeh <kory@avatar.com>, "Hallam-Baker, Phillip" <pbaker@verisign.com>, "'mcnelson@mindspring.com'" <mcnelson@mindspring.com>, ipsec@lists.tislabs.com
In-Reply-To: Your message of "Tue, 07 Aug 2001 00:28:20 PDT." <3.0.3.32.20010807002820.010a77f8@mail>
Sender: owner-ipsec@lists.tislabs.com

  It was called SKIP. I suggest you guys familiarize yourselves with
this WG.

  Dan.

On Tue, 07 Aug 2001 00:28:20 PDT you wrote
> 
> I second the motion. And also propose no port number (i.e. do the new
> one over raw IP).
> 
> - Alex
> 
> At 11:07 PM 8/6/2001 -0700, Kory Hamzeh wrote:
> >
> >Well said. I agree with you 100%. Throw is out and let's start from
> >scratch with something more reasonable and realistic.
> >
> >Kory
> >
> >
> >On Mon, 6 Aug 2001, Hallam-Baker, Phillip wrote:
> >
> >> 
> >> > Unfortunately the notion that IPsec should simply \"bind
> >> > a key to an IP address\" was rejected repeatedly throughout
> >> > the history of the IPsec WG.  
> >> 
> >> This is why I think we have to stop talking about 'son of IKE'
> >> as if the problem was in the 7 years and 9 months of trying to 
> >> implement the requirements and not the 3 months of requirements
> >> capture.
> >> 
> >> [ ..... ]
> >> 
> >> From here there are two routes forward. We could specify a reduced
> >> IKE, eliminating all but 2 of the current 8 modes, simplifying the 
> >> negotiation, knife AH... to result in a simpler draft that we can be 
> >> confident would get a broad review. I think that would have been an 
> >> excellent idea three years ago, I think that it is too late after
> >> the interop tests have been performed. All that would come out
> >> is a description of a profile of the current spec that resulted
> >> in one configuration that was secure. But implementations would
> >> still be constrained by the existing legacy base which would 
> >> drag deployments back into the mire of unexamined code paths and
> >> unanticipated interactions.
> >> 
> >> The second is to burn the current drafts and start from scratch
> >> with a fresh port number. If any change is made that breaks
> >> backwards compatibility then this might as well be what you do.
> >> 
> >> In short the phrase 'Son of IKE' is part of the problem, not
> >> the solution. IKE must have no heirs, it is time for a new dynasty
> >> to take the throne.
> >> 
> >> 
> >> 		Phill
> >> 
> >> 
> >
> >
> --
> 
> Alex Alten
> 
> Alten@Home.Com
> 
>

Follow-Ups:

Re: IKE must have no Heirs

From: Kory Hamzeh <kory@avatar.com>

References:

Re: IKE must have no Heirs

From: Alex Alten <Alten@home.com>

Prev by Date: Re: IKE must have no Heirs
Next by Date: Re: Wes Hardaker: opportunistic encryption deployment problems
Prev by thread: Re: IKE must have no Heirs
Next by thread: Re: IKE must have no Heirs
Index(es):
- Main
- Thread