Re: Choosing between IKEv2 and JFK

[Henry Spencer <henry@spsystems.net>]

On Sat, 16 Mar 2002, Angelos D. Keromytis wrote:
> ...as for remote tunnel configuration and dead
> peer detection, my feeling is that they are both somewhat fuzzy issues and
> that they are not necessary to include in the core protocol -- they can just
> as easily be implemented as supplemental *application* protocols. This allows
> for much simpler implementations and better replaceability of such components.

I agree when it comes to the configuration stuff, but some way of checking
whether a peer is alive and still knows about current SAs -- without
incurring the overhead of renegotiation -- is highly desirable.  This
cannot, in general, be done with application-level protocols:  IPsec
tunnels don't necessarily carry gateway-to-gateway traffic. 

I note that the latest JFK draft tries to weasel out of this by saying
"well, if you want to do that, insist on being a special case"... but this
is an important requirement, and having to choose between interoperability
and being able to test for a black hole is -- to put it bluntly -- a
wretched design botch. 

The capability to do such a test needs to be a standard facility, reliably
present.  Whether it is done using a phase-1 connection in the manner of
IKE is not important... but the son-of-IKE specification must describe how
to do it and must expicitly insist that all implementations provide it. 

                                                          Henry Spencer
                                                       henry@spsystems.net