[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKE v2 Requirements and backwards compatability

To: ipsec@lists.tislabs.com
Subject: Re: IKE v2 Requirements and backwards compatability
From: Tero Kivinen <kivinen@ssh.fi>
Date: Thu, 20 Dec 2001 14:10:05 +0200
CC: pkoning@equallogic.com
In-Reply-To: pkoning@equallogic.com's message of "Wed, 19 Dec 2001 17:27:16 +0000 (UTC)"
References: <15392.47983.271146.185793@pkoning.dev.equallogic.com>
Sender: owner-ipsec@lists.tislabs.com

pkoning@equallogic.com (Paul Koning) writes:
 > In order to deal with IKEv1 vs. IKEv2 "without undue delay" as I
 > suggested should be the requirement, you need a timely way to
 > recognize a V1-only implementation.  If the "invalid version number"
 > message were mandatory, this could be done (modulo the issue of lack
 > of authentication).

In some cases there is no way to know if the other end talks IKE at
all without timeouts. 

 > It sounds like we're stuck with timeout as the mechanism for detecting
 > V1-only implementations.  Yuck.  If that's right, then there is no
 > reason to stick with the old port number.

I don't think we are stuck with timeouts in common case. There are
implementations out there that WILL send the notification. This means
that if you start IKEv2 negotiation with them they will send
notification back and you can immediately fall back to IKEv1. If the
other end is one of those which does not send the notification then
you have to wait until the timeout expires, but I think more IKEv1
implementations will start sending those notifications when IKEv2
starts get used, even if they do not support any other
notifications, just to get rid of those timeouts.

I.e if you notice that when I use vendor A products it immediately
notices IKEv2 is not understood and falls back to IKEv1 without
timeout, and for vendor B products you have to wait until timeout
expires I think most of the users will consider the vendor A product
better, thus vendor B will fix its code to send notifications.

Also current installed base is mostly VPNs and there you can
preconfigure that the other end only supports IKEv1 to get rid of
timeout. For oppurtunistic encryption case etc where you don't know
anything about the other end you might want to put that kind of
information to the TXT record containing the public key itself...
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups:

Re: IKE v2 Requirements and backwards compatability

From: Shane Amante <shane@amante.org>

References:

Re: IKE v2 Requirements and backwards compatability

From: Paul Koning <pkoning@equallogic.com>

Prev by Date: Re: Should Alice say who she wants to talk to?
Next by Date: Re: rushed comments on IKEv2 draft
Prev by thread: Re: IKE v2 Requirements and backwards compatability
Next by thread: Re: IKE v2 Requirements and backwards compatability
Index(es):
- Main
- Thread