[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: divergent interpretations of IKE/IPsec - interop issues



On Fri, 22 Mar 2002, Markku Savela wrote:
> > No, it says that IKE should not do bundles without good reason.  There is
> > a cost, but there are also benefits.  Setting up a connection requires
> > negotiating bundles, not SAs.  If IKE does not do the bundling, something
> > else must...
> 
> IKE does not need to do the bundles. They are handled through the
> policy and SPD (as per RFC 2401).

How does "policy and SPD" determine, for example, whether authentication
can be done via ESP or must be done via AH, or whether compression should
be done?  These are matters which must be negotiated -- they can't be
decided unilaterally, because the two ends may have different preferences
even if their sets of permissible choices do overlap. 

Your references to "policy and SPD" always sound to me like saying "it's
somebody else's problem".  Well, but *whose*?  In real life, people use
IKE quite extensively to negotiate these things.  We cannot take such
functions out of IKE unless there is a replacement available to do them...
and why have two protocols when one suffices?

                                                          Henry Spencer
                                                       henry@spsystems.net