[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Position statement on IKE development

To: ipsec@lists.tislabs.com
Subject: Re: Position statement on IKE development
From: Sandy Harris <sandy@storm.ca>
Date: Tue, 07 Aug 2001 17:33:35 -0400
References: <3B69FF7B.85CF61@nortelnetworks.com>
Sender: owner-ipsec@lists.tislabs.com

I suspect if I knew more of the history, I wouldn't have to ask, but I seem
to see a contradiction below.

Marcus Leech wrote:

> ... Formal and semi-formal analyses by Meadows, Schneier et al, and
> Simpson, have shown that the security problems in IKE stem directly
> from its complexity. ...
>
> We are concerned that trying to reuse too much of the IKE
> code base in new protocols ...
> will lead to more complex (and hence vulnerable) implementations.
> We suggest that implementors resist this temptation, ...

This makes sense.

> The Security Area Directors have asked the IPSEC working group to come
> up with a replacement for IKE.  This work is underway and is known in
> the community as "Son of IKE". ...

So why are we working on "Son of IKE", which is presumably a new protocol
and presumably re-uses much of IKE?

Presumably there are good reasons we don't just say IKE was a mistake
and switch to Simpson et al's simpler Photuris protocol. What are they?

References:

Position statement on IKE development

From: "Marcus Leech" <mleech@nortelnetworks.com>

Prev by Date: Re: IKE must have no Heirs
Next by Date: RE: IKE must have no Heirs
Prev by thread: Re: Position statement on IKE development
Next by thread: RE: Position statement on IKE development
Index(es):
- Main
- Thread