[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE

To: Michael Thomas <mat@cisco.com>
Subject: Re: Simplifying IKE
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Wed, 08 Aug 2001 18:01:01 +0200
cc: Dan McDonald <danmcd@East.Sun.COM>, Sandy Harris <sandy@storm.ca>, ipsec@lists.tislabs.com
In-reply-to: Your message of Wed, 08 Aug 2001 07:26:13 PDT. <15217.19461.896582.163323@thomasm-u1.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   Francis Dupont writes:
    > PS: I am not in favor to reduce IPsec to VPNs, the thing which will
    >     happen if we remove AH then transport mode...

   Francis,

   I'm not in favor of VPN only IPsec either,

=> but VPNs are the current market so if we remove everything not used
today only VPN stuff will remain. AH seems to be the first victim of
the "simplifying IKE" process and transport mode will be the second
(even if this has near nothing to do with the IKE issue and transport
mode is more primitive than tunnel mode: tunnel mode is used in VPNs
so it cannot be removed). IMHO this is just "remove everything we
don't like or don't use" but the net result can be a VPN only IPsec.

   but I don't understand removal of AH would be a step in that direction.

=> reread all the not IKE stuff in this thread...

   The very existence of AH, I think, is at the root of 
   a lot of the misunderstanding that happened with MIPv6.

=> I disagree, the purpose of AH is the protection of payload
and headers (something ESP should not do because there already is AH)
and for a signaling protocol like MIPv6 AH is both simpler and cheaper]
to use. The trouble of IPsec with MIPv6 is more IKE (the thing we are
supposed to simplify): obviously to run IKE phases 1 & 2 in order
to protect BUs (sometime a single small packet) is overkilling

   It may not have eliminated all of the misuses of IPsec,

=> misuses = other uses than VPNs (:-) ?
(note you can seriously answer)

   but it seems like a pretty vivid example of how more
   options == more confusion of how they all work (or
   don't work as the case were).

=> I disagree: AH for MIPv6 works, this is not deployable
(because of global PKI/authorization issue) and nor efficient
(as concrete tests have shown). And I believe we'll still see
IPsec and MIPv6 together in the future because IPsec only
provides a good security service in the network layer
(i.e. not everywhere but somewhere).

Regards

Francis.Dupont@enst-bretagne.fr

PS: what the MIPv6 misadventure has shown too is that there is a place
for more than one keying protocol.

Follow-Ups:

Re: Simplifying IKE

From: Dan Harkins <dharkins@lounge.org>

Re: Simplifying IKE

From: Michael Thomas <mat@cisco.com>

References:

Re: Simplifying IKE

From: Michael Thomas <mat@cisco.com>

Prev by Date: RE: Simplifying IKE
Next by Date: RE: IKE must have no Heirs
Prev by thread: Re: Simplifying IKE
Next by thread: Re: Simplifying IKE
Index(es):
- Main
- Thread