Re: Regarding the next version of IKE

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 3:04 PM -0800 3/6/02, Scott Fanning wrote:
>I think I brought this issue up a couple of months ago. The 
>resounding answer at the time is that the version number in the 
>isakmp hdr is enough to direct message to the correct process 
>running a specific IKE version. I think there is some code reuse 
>here (although that is a debatable requirement as well).

Note that the on-the-wire protocol in JFK is not set in stone. It 
could easily be changed to look almost identical to IKEv2; that is, I 
have already written up that change. If the WG wants the features of 
JFK but to have it run on port 500 and look enough like IKEv2 so that 
it will not crash an IKEv1 implementation, that is pretty easy.

>On a very different note:
>
>Also, I was wondering if it would be possible to add a "message 
>type" in the isakmp hdr in the IKEv2 (Harkins et al) to indicate 
>what part of the exchange the message represents. This would be 
>different than the "Exchange Type" as it would offer a finer level 
>of granularity. I know you can look at how the message is 
>constructed to determine that information, but it seems to be that a 
>simple identifier to validate a message against a state machine 
>would be a cheaper operation. Of course, it does not remove the 
>requirement to examine the payloads to ensure that all is in order. 
>Just an idea.

Or, instead of changing the ISAKMP header, you could add granularity 
to the new exchange types. Instead of the current:
                        Phase One                34
                        CREATE-CHILD-SA          35
                        Informational            36
You might have:
                        Phase One  message 1     34
                        Phase One  message 2     35
                        Phase One  message 3     36
                           .
                           .
                           .

--Paul Hoffman, Director
--VPN Consortium