[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SOI: round tripiness

To: ipsec@lists.tislabs.com
Subject: SOI: round tripiness
From: Michael Thomas <mat@cisco.com>
Date: Mon, 19 Nov 2001 08:32:24 -0800 (PST)
In-Reply-To: <200111191328.IAA26753@ietf.org>
References: <200111191328.IAA26753@ietf.org>
Sender: owner-ipsec@lists.tislabs.com


I didn't see any mention in the draft about IKE's
round trip obesity. I think there's a number of us
who think that IKE's requirement of 8 or more
messages to establish the first SA is grotesque.
While it's probably not a huge deal for VPN's,
peers wanting to establish on the fly transport
connections (including the OE stuff), the message
count burden is probably even more significant
than the CPU burden, which is saying something.

JFK proposes that we smash everything together and
nuke the Main/Quick mode distinction. This seems
sensible on the surface but there's seems to be
some amount of fear that not having the ability to
amortize expensive public operations will degrade
performance for rekeying, deletes, notifies, etc.

I'll point out that KINK sidesteps this problem by
virtue of using Kerberos tickets which capture the
state of initial authentication for a shortish
period of time. This allows use of much cheaper
symmetric key operations for subsequent protocol
operations while still eliminating Main Mode.
Perhaps this sort of mechanism (even if not
Kerberos directly) could be used for SOI.

		   Mike

References:

I-D ACTION:draft-ietf-ipsec-son-of-ike-protocol-reqts-00.txt

From: Internet-Drafts@ietf.org

Prev by Date: SOI: identity protection and DOS
Next by Date: Re: ipsec in tunnel mode and dynamic routing
Prev by thread: Re: SOI: identity protection and DOS
Next by thread: I-D ACTION:draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt
Index(es):
- Main
- Thread