Re: IKE v2 Requirements and backwards compatability

[Henry Spencer <henry@spsystems.net>]

On Mon, 17 Dec 2001, Scott Fanning wrote:
> Unless IKEv2 is a subset of IKEv1 which would simplify things, but that seem
> not to be the approach of the WG. So, am I correct in saying that any
> attempts to simplify IKEv1 by tightening the language, removing AH, COMMIT
> BIT, and a "mode" would not make IKEv1 better, and less complex?

Better and less complex, yes, but quite possibly not worth the trouble.  
And there would still be interoperability issues, since a simplified IKE
could not reliably interoperate with the original.  (In many ways this is
worse than a new protocol, because it would sometimes interoperate and
sometimes not.)

> How about
> pre-defining protection suites to avoid negotiation explosions?

draft-spencer-ipsec-ike-implementation-00.txt attempts this in a small
way, but more as a record of successful experience than as an attempt at
laying down the law for the future -- it's something that has not been
much of a problem in practice, because when it comes to things like
algorithm choices, in fact there is a small subset that almost everyone
implements and which you can propose fairly confidently.  It's numeric
values like lifetimes which cause more trouble. 

                                                          Henry Spencer
                                                       henry@spsystems.net

---

Follow-Ups:

• Re: IKE v2 Requirements and backwards compatability
• From: Henry Spencer <henry@spsystems.net>

References:

• Re: IKE v2 Requirements and backwards compatability
• From: "Scott Fanning" <sfanning@cisco.com>

---

• Prev by Date: Re: IKE v2 Requirements and backwards compatability
• Next by Date: Re: IKE v2 Requirements and backwards compatability
• Prev by thread: Re: IKE v2 Requirements and backwards compatability
• Next by thread: Re: IKE v2 Requirements and backwards compatability
• Index(es):
  • Main
  • Thread