[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI: identity protection and DOS
Henry Spencer writes:
> On Wed, 21 Nov 2001, Michael Thomas wrote:
> > > The proposed IKEv2, if I've read the spec correctly, establishes both
> > > an ISAKMP SA and a set of IPsec SAs, *with* full identity protection,
> > > in 2 round trips. It is difficult to imagine improving on that...
> >
> > Fine, then IKEv2 meets my proposed requirement. That
> > doesn't negate the requirement, or the reason to have it.
> > We are still talking about requirements, right?
>
> We are, but you've given a rather confused impression of what your
> proposed requirement actually *is*. You start out saying "identity
> protection should not be mandatory if it is expensive", which is at least
> defensible. But then you switch to "since identity protection is known to
> be expensive, it must not be mandatory", which is simply unfounded. You
> need to stick to stating requirements, and avoid jumping to conclusions
> about how they should be met.
I meant what was started out with. Where that led
to was a chorus of "it's not expensive" with a
bunch of confusion along the way which I'm still
not sure about of whether it is or isn't. Also: we
still haven't mentioned the other part of my
initial post which was about DoS protection which
I lump in the same category: make it optional for
when the exceptional conditions arise.
Mike
Follow-Ups:
References: