[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: (More) immediate changes to help interop problems?

To: "'Scott Fanning'" <sfanning@cisco.com>, <ipsec@lists.tislabs.com>
Subject: RE: (More) immediate changes to help interop problems?
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Sat, 11 Aug 2001 22:52:34 +0100
Importance: Normal
In-Reply-To: <005701c12008$11168400$4e8d21d9@sfanninglaptop>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

> I agree. I also would like to see the commit bit gone (not many people
> support it anyway, nor do it right).
>
> I think the fact we still have bakeoffs to test IKE interop,
> tells us that
> we need to simplify what we have.

I think you are exaggerating. The fact that we still have bakeoffs shows
that we are still *ADDING* features to IKE. I expect to be testing NAT
traversal, ECDH, bigger DH groups, maybe revised hash if anyone else has
implemented it.

The concern over complexity is two things:

a) People who say that IKE must contain HIDDEN flaws or implementations must
have security holes.
b) People who say that IKE is too hard to write by new implementers.

I don't know of any 'old' implementation that still needs baking on basic
IKE features.
Are you saying yours does? :-)


> At one IETF, I was sure I heard a call and a straw vote for
> IKE reved to V2,
> with the new hash, and additional changes. I would like to
> fix those things we can fix now
> , allowing current users to continue to use
> IKE, while we
> debate a new, and improved key exchange,

You're free to improve your codebase with experimental
features/anti-features whenever you want. I've already fixed the hash
problem on our gateways. If you want to interoperate, you can use our vendor
id.

Andrew
-------------------------------------------
Upon closer inspection, I saw that the line
dividing black from white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.


> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Scott Fanning
> Sent: Wednesday, August 08, 2001 1:46 PM
> To: Geoffrey Huang; ipsec@lists.tislabs.com
> Subject: Re: (More) immediate changes to help interop problems?
>
>
>
> My 2 cents
> Scott
> ----- Original Message -----
> From: "Geoffrey Huang" <ghuang@cisco.com>
> To: <ipsec@lists.tislabs.com>
> Sent: Wednesday, August 08, 2001 1:57 AM
> Subject: (More) immediate changes to help interop problems?
>
>
> > Hi there,
> >
> > So I've seen many messages concerning long-term development
> for the next
> > IKE, but what happened to discussion on fixing some
> shortcomings that
> > immediately affect interoperability?  Andrew K. mentioned a
> few yesterday
> > during his presentation, but off the top of my head, I can
> think of a few
> > ambiguities:
> >
> > - Rekeying/Ph. 1 Responder Lifetime
> > - Unreliable Delete/Notifies
> > - Optional Cert Request Payload
> > - Some way to detect dead peers/stale SAs
> >
> > I'm just thinking of issues in currently deployed scenarios...
> >
> > -g
> >
>
>

References:

Re: (More) immediate changes to help interop problems?

From: "Scott Fanning" <sfanning@cisco.com>

Prev by Date: Re: Simplifying IKE
Next by Date: Is base mode dead?
Prev by thread: Re: (More) immediate changes to help interop problems?
Next by thread: RE: (More) immediate changes to help interop problems?
Index(es):
- Main
- Thread