[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE v2 Requirements and backwards compatability
On Mon, 17 Dec 2001, Scott Fanning wrote:
> Unless IKEv2 is a subset of IKEv1 which would simplify things, but that seem
> not to be the approach of the WG. So, am I correct in saying that any
> attempts to simplify IKEv1 by tightening the language, removing AH, COMMIT
> BIT, and a "mode" would not make IKEv1 better, and less complex?
Better and less complex, yes, but quite possibly not worth the trouble.
And there would still be interoperability issues, since a simplified IKE
could not reliably interoperate with the original. (In many ways this is
worse than a new protocol, because it would sometimes interoperate and
sometimes not.)
> How about
> pre-defining protection suites to avoid negotiation explosions?
draft-spencer-ipsec-ike-implementation-00.txt attempts this in a small
way, but more as a record of successful experience than as an attempt at
laying down the law for the future -- it's something that has not been
much of a problem in practice, because when it comes to things like
algorithm choices, in fact there is a small subset that almost everyone
implements and which you can propose fairly confidently. It's numeric
values like lifetimes which cause more trouble.
Henry Spencer
henry@spsystems.net
Follow-Ups:
References: