[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Choosing between IKEv2 and JFK
Jan Vilhuber writes:
> On 8 Mar 2002, Derek Atkins wrote:
>
> > Michael Thomas <mat@cisco.com> writes:
> >
> > > Huh? The certs are only there for identity. If I
> > > want to have two different SA's so I get differential
> > > queuing treatment, there's nothing that says that I
> > > need two different identities. I just change the
> > > traffic selectors. This isn't any different than
> > > RSVP flow selectors and queuing treatment.
> >
> > No, in reality the certs are there for authorization. It's just that
> > people don'e understand the concept of capabilities, so we have this
> > ad-hoc "identity" cert and map it via some local lookup method to a
> > set of capabilities.
For IKE in particular, that would be pretty idiomatic
(read: non-standard). I agree that there are cert
attributes, but IKE to my knowledge doesn't define
any standard use of them.
> > In terms of different flow selectors, it is perfectly reasonable to
> > say that each flow requires its own certificate specifying the
> > capability of that particular flow.
Fine. The original thread was about whether you
would ordinarily do that (re: auth amortization).
I find that pretty unpersuasive.
> I finally realized what bothers me about this, which I think is also
> what angelos was talking about: What you're really saying is that IKE
> is now essentially doing admission control for QoS based on a cert
> (attribute certs?!). I'm not sure I buy that. It's neither IPsec's nor
> IKE's job to perform admission control for QoS.
Right. That's RSVP's job. RFC 2752 is your friend.
Mike