Re: Choosing between IKEv2 and JFK

[Michael Thomas <mat@cisco.com>]

Angelos D. Keromytis writes:
 > 
 > In message <15495.61112.901790.504193@thomasm-u1.cisco.com>, Michael Thomas wri
 > tes:
 > >
 > >   Huh? The certs are only there for identity. If I 
 > >   want to have two different SA's so I get differential
 > >   queuing treatment, there's nothing that says that I
 > >   need two different identities. I just change the
 > >   traffic selectors. This isn't any different than
 > >   RSVP flow selectors and queuing treatment.
 > 
 > If you reuse the same certs, then you can simply reuse cached results. Given
 > that, I assumed that different QoS levels corresponded to different 
 > credentials.

Disclaimer: I've been scanning this thread very
lightly. If I'm hopelessly misreading this, feel
free to ignore.
  
I thought -- maybe wrongly -- that the point of
this threadlet was that if you have multiple SA's
from a single device due to QoS considerations, it
would be advantageous to have some public key
amortization mechanism ala quick mode. I took your
response to be that they'd all require different
credentials anyway, so it wouldn't help in reality.

Assuming I've got this correct, I disagree:
there's no reason to assume that you wouldn't use
the same credentials in each case since granting
QoS and/or SA's is an authorization issue. The
certs are only providing the identity piece
(normally). As such, being able to amortize the
main mode public operations is a win in that case.

		Mike