[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Choosing between IKEv2 and JFK




Both approaches are valid: you might be using the same credentials, or
different credentials, in setting up different QoS streams. In the case
of "same credentials", certificate verification can be cached. In the case
of "different credentials", the Phase 1/Phase 2 distinction doesn't buy
you anything (you have to do a Phase 1 for each different set of credentials).

-Angelos

In message <15495.61766.480181.108549@thomasm-u1.cisco.com>, Michael Thomas wri
tes:
 >
 >Disclaimer: I've been scanning this thread very
 >lightly. If I'm hopelessly misreading this, feel
 >free to ignore.
 >  
 >I thought -- maybe wrongly -- that the point of
 >this threadlet was that if you have multiple SA's
 >from a single device due to QoS considerations, it
 >would be advantageous to have some public key
 >amortization mechanism ala quick mode. I took your
 >response to be that they'd all require different
 >credentials anyway, so it wouldn't help in reality.
 >
 >Assuming I've got this correct, I disagree:
 >there's no reason to assume that you wouldn't use
 >the same credentials in each case since granting
 >QoS and/or SA's is an authorization issue. The
 >certs are only providing the identity piece
 >(normally). As such, being able to amortize the
 >main mode public operations is a win in that case.
 >
 >		Mike