Re: Simplifying IKE

[Dan Harkins <dharkins@lounge.org>]

On Wed, 08 Aug 2001 18:01:01 +0200 you wrote
> 
>    The very existence of AH, I think, is at the root of 
>    a lot of the misunderstanding that happened with MIPv6.
> 
> => I disagree, the purpose of AH is the protection of payload
> and headers (something ESP should not do because there already is AH)
> and for a signaling protocol like MIPv6 AH is both simpler and cheaper]
> to use. The trouble of IPsec with MIPv6 is more IKE (the thing we are
> supposed to simplify): obviously to run IKE phases 1 & 2 in order
> to protect BUs (sometime a single small packet) is overkilling

Well, not really, and none of the simplifications being proposed or 
planned for IKE would help MIPv6.

The problem with MIPv6 is that the Binding Update is a destination
option which they would like authenticated. But there is no way for
an IPsec selector to be defined to identify certain types of destination
options. The choice is to authenticate _everything_ which they don't
want to do or authenticate _nothing_ which they can't do. This has
nothing to do with IKE.

While the overkill of a phase 1 and phase 2 to merely authenticate a
single Binding Update is a problem the other, larger problem is that
there is no global PKI to deal with authentication. Even a protocol
(SKIP for instance) which could handle the key establishment in a
single message-- definitely not overkill-- would not work because
there is no global PKI to support it.

  Dan.

---

Follow-Ups:

• Re: Simplifying IKE
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
• Re: Simplifying IKE
• From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:

• Re: Simplifying IKE
• From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

---

• Prev by Date: Re: Simplifying IKE
• Next by Date: Re: Simplifying IKE
• Prev by thread: Re: Simplifying IKE
• Next by thread: Re: Simplifying IKE
• Index(es):
  • Main
  • Thread