[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI schizophrenia
Jan Vilhuber writes:
> On Wed, 15 May 2002, Michael Thomas wrote:
>
> >
> > I admit it. I'm having a real hard time deciding
> > which design philosophy is actually more
> > appropriate for SOI. I've vacillated quite a few
> > times and it doesn't seem like it's about to abate
> > any time soon. What Paul's document tells me
> > (which pretty jibes with my own judgement) is that
> > both protocols are vast improvements over IKE, and
> > they seem to reach quite similar conclusions on
> > the basic message exchanges. Both put effort into
> > DoS, and simplify the on-wire combinatorial
> > explosion of SA establishment. All in all, they
> > both seem competent.
> >
>
> They are both competent from a cryptography point of view, but only
> one actually allows key management in any sane way. I think that's
> where the two part company, and we as a group need to decide which is
> more appropriate: A key *agreement* protocol (JFK) which will require
> other protocols (ICMP? Right..) to help solve the current deployment
> stability, or a key *management* protocol (IKEv2), that let's you
> manage the key we agreed on, without requiring other external
> management protocols.
I don't understand what you mean by "management"
in this context. JFK can add and delete SA, and
assigns lifetimes to them. It seems light on a
DPD scheme, but that seems like a negotiable
item. Two phases is just an optmization.
What am I missing?
Mike