[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE

Hm.. Not sure where to go with this discussion. What's the difference between
people (and not just one or two) *thinking* they need something, and it being
true that they need it? If there's enough of them, then it becomes true. We
don't really NEED this internet thing at all, really. I'd be just as happy
sitting in a cave and grooving with a pict...

If you want to go convince the aggressive mode (or whatever you want to call
it... low number of messages/low setup-time/whatever) camp that they don't
REALLY need it, be my guest.

I could argue in reverse saying that just because you don't think they need
it doesn't make it true that they don't need it. It's a rather pointless
argument. Fact is that there's a camp that (thinks they) needs fewer messages
at the expense of some features (and some security). Let's hold a straw-poll
to count the percentages... Who calls for such a thing? The chairs? Let's
count. I'm trying to figure out what people want, afterall. If no one cares
about speedy setup times, then let's axe aggressive mode and be done with it.
I'm actually OK with that. I suspect plenty of people won't.

They think they need it, you think they don't. Fine. They still exist, and
there's enough of them to not just be blown off because you don't think
they're right...


jan


On Thu, 9 Aug 2001, Henry Spencer wrote:

> On Thu, 9 Aug 2001, Jan Vilhuber wrote:
> > > > ...There's no 'one-size fits all' keying protocol.
> > > That may be true, but it is not a self-evident fact.
> > 
> > Hm.. I think it is. The fact that both main mode and aggressive mode exist,
> > is proof that there's (at least) two camps that needed to be satisfied in
> > IKE. One camp wants more security and versatility (negotiation, if you can
> > call it that), and another camp wants more speed and is willing to sacrifice
> > identity protection and negotiation.
> 
> Not quite.  What you have established is that some people *think* there is
> a need for two approaches.  That doesn't make it true!  Especially since
> that design work was, to a large extent, done in advance of real live
> implementation experience. 
> 
> > The existence of KINK is another proof. There's obviously people that need
> > extremely fast and light-weight keying, which KINK (again arguably) provides
> > (for certain scenarios).
> 
> Again, there are people who *think* they need better keying performance,
> but that doesn't make it true.  (There were a lot of people who thought
> they needed better data-transfer protocol performance than TCP/IP could
> deliver.  They put a lot of work into "lightweight" alternatives, most of
> which are dead and forgotten, superseded by TCP/IP.)
> 
>                                                           Henry Spencer
>                                                        henry@spsystems.net
> 

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847
Follow-Ups: References: