Re: Choosing between IKEv2 and JFK

[Jan Vilhuber <vilhuber@cisco.com>]

On Thu, 7 Mar 2002, Angelos D. Keromytis wrote:

> 
> Both approaches are valid: you might be using the same credentials, or
> different credentials, in setting up different QoS streams. In the case
> of "same credentials", certificate verification can be cached. In the case
> of "different credentials", the Phase 1/Phase 2 distinction doesn't buy
> you anything (you have to do a Phase 1 for each different set of credentials).
> 

Agreed. The 'different credentials' case is irrelevant to this
discussion. It's the 'same credentials' case that matters. In which
case you still have a few rsa operations to do, and it would be
beneficial to amortize them with a phase 2.

jan


> -Angelos
> 
> In message <15495.61766.480181.108549@thomasm-u1.cisco.com>, Michael Thomas wri
> tes:
> >
> >Disclaimer: I've been scanning this thread very
> >lightly. If I'm hopelessly misreading this, feel
> >free to ignore.
> >  
> >I thought -- maybe wrongly -- that the point of
> >this threadlet was that if you have multiple SA's
> >from a single device due to QoS considerations, it
> >would be advantageous to have some public key
> >amortization mechanism ala quick mode. I took your
> >response to be that they'd all require different
> >credentials anyway, so it wouldn't help in reality.
> >
> >Assuming I've got this correct, I disagree:
> >there's no reason to assume that you wouldn't use
> >the same credentials in each case since granting
> >QoS and/or SA's is an authorization issue. The
> >certs are only providing the identity piece
> >(normally). As such, being able to amortize the
> >main mode public operations is a win in that case.
> >
> >		Mike
> 
> 

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847