[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simplifying IKE
On Thu, 9 Aug 2001, Jan Vilhuber wrote:
> > > ...There's no 'one-size fits all' keying protocol.
> > That may be true, but it is not a self-evident fact.
>
> Hm.. I think it is. The fact that both main mode and aggressive mode exist,
> is proof that there's (at least) two camps that needed to be satisfied in
> IKE. One camp wants more security and versatility (negotiation, if you can
> call it that), and another camp wants more speed and is willing to sacrifice
> identity protection and negotiation.
Not quite. What you have established is that some people *think* there is
a need for two approaches. That doesn't make it true! Especially since
that design work was, to a large extent, done in advance of real live
implementation experience.
> The existence of KINK is another proof. There's obviously people that need
> extremely fast and light-weight keying, which KINK (again arguably) provides
> (for certain scenarios).
Again, there are people who *think* they need better keying performance,
but that doesn't make it true. (There were a lot of people who thought
they needed better data-transfer protocol performance than TCP/IP could
deliver. They put a lot of work into "lightweight" alternatives, most of
which are dead and forgotten, superseded by TCP/IP.)
Henry Spencer
henry@spsystems.net
Follow-Ups:
References: