[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Position statement on IKE development
I suspect if I knew more of the history, I wouldn't have to ask, but I seem
to see a contradiction below.
Marcus Leech wrote:
> ... Formal and semi-formal analyses by Meadows, Schneier et al, and
> Simpson, have shown that the security problems in IKE stem directly
> from its complexity. ...
>
> We are concerned that trying to reuse too much of the IKE
> code base in new protocols ...
> will lead to more complex (and hence vulnerable) implementations.
> We suggest that implementors resist this temptation, ...
This makes sense.
> The Security Area Directors have asked the IPSEC working group to come
> up with a replacement for IKE. This work is underway and is known in
> the community as "Son of IKE". ...
So why are we working on "Son of IKE", which is presumably a new protocol
and presumably re-uses much of IKE?
Presumably there are good reasons we don't just say IKE was a mistake
and switch to Simpson et al's simpler Photuris protocol. What are they?
References: