[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Son-of-IKE Selection Criteria?

To: ipsec@lists.tislabs.com
Subject: Son-of-IKE Selection Criteria?
From: "Walker, Jesse" <jesse.walker@intel.com>
Date: Thu, 29 Nov 2001 09:51:52 -0800
Sender: owner-ipsec@lists.tislabs.com

Suddenly we suffer an embarassment of riches. We have three thoughtful, very
well crafted, very credible proposals for Son-of-IKE, and we need to
establish some selection criteria to choose among them. I wish we didn't
have to choose, because all three have some very nice characteristics.

The IKEv2 proposal of Harkins-Perlman-Kaufman is by far the most complete of
the three,  addresses the widest variety of issues, and remains the most
faithful to the existing IKE. It appears to fix many of IKEv1's most onerous
problems, and seems like it would have the  best time-to-market
characteristics. One of its most important steps is it begins to make
security association management more explicit, which will finally help
resolve the interoperability difficulties related to session termination. It
is particularly pleasurable seeing the large number of practical protocol
physical implementation issues dealt with, making it more plausible that
resulting implementations might actually interoperate. Its completeness and
degree of reuse of existing IKE elements and design philosophy make it very
attractive.

Krawzyck's SIGMA proposal strikes me as by far the cleanest, simplest, and
most elegant of the three; enough said. It reuses much of IKE. However, its
three-way handshake uses different sorts of state machines than the two-way
handshakes used by the other proposals, so implementors would have to learn
a new bag of tricks. SIGMA's greatest drawback is that it is fairly
incomplete compared with Harkins et al proposal.

The JFK proposal of Aiello et. al. exhibits the most novelty and creativity
of the three. It also strikes me as the most complex of the three, but this
is due to the novelty of its solution to the DoS problem; good optimizations
often introduce more complexity. This complexity does not appear to have
compromised the security goals, and given its pedigree, probably will not
introduce problems, but this remains to be established. JFK does introduce
one striking simplification: the elimination of negotiation by letting the
responder dictate the security policy. One of the key deployment barriers to
IPsec--perhaps the key one--has been the lack of a policy distribution and
coordination mechanism, and JFK's approach sweeps this away entirely. JFK is
also the only one of the three to grope toward a realistic rekey algorithm,
another deficiency in the current IPsec.

I would be happy for the WG to begin with any one of the three; getting a
credible Son-of-IKE is the most important step we can take to make IPsec
widely deployable, and all  three proposals fit the bill in my estimation.
If I had to make a choice today, I would  select SIGMA, on the basis that
elegant designs tend to lead to the best, most long-lived implementations
and to best security. But I really would prefer not choosing; I would really
like to see SIGMA incorporated into IKEv2, and for the authors also to pick
up many of the good ideas from JFK, like its approach to policy and rekey.

For whatever it's worth, this is my first reading of all three documents.
What I'd like to know how the WG will make a decision among these excellent
candidates.

-- Jesse Walker

Prev by Date: Re: On shared keys
Next by Date: RE: CBC makes Implementations too Slow.
Prev by thread: I-D ACTION:draft-ietf-ipsec-ciph-aes-cbc-03.txt
Index(es):
- Main
- Thread