[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is base mode dead?

To: Sandy Harris <sandy@storm.ca>
Subject: Re: Is base mode dead?
From: Markus Stenberg <mstenber@ssh.com>
Date: Mon, 13 Aug 2001 00:12:15 +0300 (EET DST)
cc: "ipsec@lists.tislabs.com" <ipsec@lists.tislabs.com>
In-Reply-To: <3B75AD92.E10C9445@storm.ca>
Sender: owner-ipsec@lists.tislabs.com

On Sat, 11 Aug 2001, Sandy Harris wrote:
> With all the discussion of simplifying IKE, main mode vs. aggressive,
> the commit bit, ... I thought it was time I had a look at 'base mode'.
>
> I cannot find either an draft or an RFC. Is it dead?

Draft's from about year ago (I think it expired last christmas or so).
It's basically dead, although I suppose it's a shame..

It combines limited DoS protection of MM with identity exposure
of aggressive mode (and just 4 messages).

I think that if we really go for only one exchange, aggressive mode is not
even an option; however, question is, do we want identity hiding or not? It
costs one roundtrip.

In my ideal world there'd be 2 message QM which could be glued on the base
mode so you could have SA's up in 4 messages and still retain IKE SA for
fast further SA's.

But, YMMV.

-Markus

References:

Is base mode dead?

From: Sandy Harris <sandy@storm.ca>

Prev by Date: Re: Simplifying IKE
Next by Date: RE: DRAFT: ipsec charter update
Prev by thread: Is base mode dead?
Next by thread: Multicasting problem
Index(es):
- Main
- Thread