[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Choosing between IKEv2 and JFK
Angelos D. Keromytis writes:
>
> In message <15495.61112.901790.504193@thomasm-u1.cisco.com>, Michael Thomas wri
> tes:
> >
> > Huh? The certs are only there for identity. If I
> > want to have two different SA's so I get differential
> > queuing treatment, there's nothing that says that I
> > need two different identities. I just change the
> > traffic selectors. This isn't any different than
> > RSVP flow selectors and queuing treatment.
>
> If you reuse the same certs, then you can simply reuse cached results. Given
> that, I assumed that different QoS levels corresponded to different
> credentials.
Disclaimer: I've been scanning this thread very
lightly. If I'm hopelessly misreading this, feel
free to ignore.
I thought -- maybe wrongly -- that the point of
this threadlet was that if you have multiple SA's
from a single device due to QoS considerations, it
would be advantageous to have some public key
amortization mechanism ala quick mode. I took your
response to be that they'd all require different
credentials anyway, so it wouldn't help in reality.
Assuming I've got this correct, I disagree:
there's no reason to assume that you wouldn't use
the same credentials in each case since granting
QoS and/or SA's is an authorization issue. The
certs are only providing the identity piece
(normally). As such, being able to amortize the
main mode public operations is a win in that case.
Mike