[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Choosing between IKEv2 and JFK



Jan Vilhuber writes:
 > On 8 Mar 2002, Derek Atkins wrote:
 > 
 > > Michael Thomas <mat@cisco.com> writes:
 > > 
 > > >    Huh? The certs are only there for identity. If I 
 > > >    want to have two different SA's so I get differential
 > > >    queuing treatment, there's nothing that says that I
 > > >    need two different identities. I just change the
 > > >    traffic selectors. This isn't any different than
 > > >    RSVP flow selectors and queuing treatment.
 > > 
 > > No, in reality the certs are there for authorization.  It's just that
 > > people don'e understand the concept of capabilities, so we have this
 > > ad-hoc "identity" cert and map it via some local lookup method to a
 > > set of capabilities.

   For IKE in particular, that would be pretty idiomatic
   (read: non-standard). I agree that there are cert
   attributes, but IKE to my knowledge doesn't define
   any standard use of them.

 > > In terms of different flow selectors, it is perfectly reasonable to
 > > say that each flow requires its own certificate specifying the
 > > capability of that particular flow.

   Fine. The original thread was about whether you
   would ordinarily do that (re: auth amortization).
   I find that pretty unpersuasive.

 > I finally realized what bothers me about this, which I think is also
 > what angelos was talking about: What you're really saying is that IKE
 > is now essentially doing admission control for QoS based on a cert
 > (attribute certs?!). I'm not sure I buy that. It's neither IPsec's nor
 > IKE's job to perform admission control for QoS.

   Right. That's RSVP's job. RFC 2752 is your friend.

		 Mike