[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

About draft-ietf-ipsec-soi-features-00.txt

To: ipsec-list <ipsec@lists.tislabs.com>
Subject: About draft-ietf-ipsec-soi-features-00.txt
From: Ari Huttunen <Ari.Huttunen@f-secure.com>
Date: Mon, 13 May 2002 19:31:48 +0300
Organization: F-Secure Corporation
Sender: owner-ipsec@lists.tislabs.com

I suggest applying the well known KISS principle. In particular,
favor the features that produce the simplest SOI possible, without
too much regard for IKEv1 code re-use. Code is generally fast to
write but slow to actually make function perfectly.

I don't pretend to have read through that whole draft, but I'd
apply the KISS principle to the authentication feature as follows.
Since certificate authentication appears to be sufficient,
and all usable products needs certificate support anyway, throw
out preshared keying. One authentication method is easier
to test and make interoperable than two. Self-signed certs are also
more secure because the private key is still only in one place.

As for dead peer detection, I'd favor IKEv2 on the grounds that
the complexity of always negotiating (or failing to negotiate)
SAs permitting ICMP pings through is more than the complexity
of defining it to work via phase 1 messages and not negotiating
anything between the peers. This is particularly true of tunnel
mode SAs between gateways; who do you ping through the tunnel?

Ari

-- 
"They that can give up essential liberty to obtain a little 
temporary safety deserve neither liberty nor safety." - Benjamin Franklin

Ari Huttunen                   phone: +358 9 2520 0700
Software Architect             fax  : +358 9 2520 5001

F-Secure Corporation       http://www.F-Secure.com 

F(ully)-Secure products: Securing the Mobile Enterprise

Prev by Date: Re: JFK nit
Next by Date: DOS attacks with Cookies
Prev by thread: which number is assigned to ID_IPV4_ADDR?
Next by thread: DOS attacks with Cookies
Index(es):
- Date
- Thread