[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE



On Thu, 9 Aug 2001, Jan Vilhuber wrote:
> > > ...There's no 'one-size fits all' keying protocol.
> > That may be true, but it is not a self-evident fact.
> 
> Hm.. I think it is. The fact that both main mode and aggressive mode exist,
> is proof that there's (at least) two camps that needed to be satisfied in
> IKE. One camp wants more security and versatility (negotiation, if you can
> call it that), and another camp wants more speed and is willing to sacrifice
> identity protection and negotiation.

Not quite.  What you have established is that some people *think* there is
a need for two approaches.  That doesn't make it true!  Especially since
that design work was, to a large extent, done in advance of real live
implementation experience. 

> The existence of KINK is another proof. There's obviously people that need
> extremely fast and light-weight keying, which KINK (again arguably) provides
> (for certain scenarios).

Again, there are people who *think* they need better keying performance,
but that doesn't make it true.  (There were a lot of people who thought
they needed better data-transfer protocol performance than TCP/IP could
deliver.  They put a lot of work into "lightweight" alternatives, most of
which are dead and forgotten, superseded by TCP/IP.)

                                                          Henry Spencer
                                                       henry@spsystems.net



Follow-Ups: References: