[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI schizophrenia

To: Jan Vilhuber <vilhuber@cisco.com>, Michael Thomas <mat@cisco.com>
Subject: Re: SOI schizophrenia
From: Uri Blumenthal <uri@bell-labs.com>
Date: Sun, 19 May 2002 19:29:57 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <Pine.LNX.4.21.0205161337340.2302-100000@localhost>
Organization: Lucent Technologies / Bell Labs
References: <Pine.LNX.4.21.0205161337340.2302-100000@localhost>
Reply-To: uri@bell-labs.com
Sender: owner-ipsec@lists.tislabs.com

On Thursday 16 May 2002 16:58, Jan Vilhuber wrote:
> > All in all, they both seem competent.
>
> They are both competent from a cryptography point of view, but only
> one actually allows key management in any sane way. 

Precisely.

> I think that's
> where the two part company, and we as a group need to decide which is
> more appropriate: A key *agreement* protocol (JFK) which will require
> other protocols (ICMP? Right..) to help solve the current deployment
> stability, or a key *management* protocol (IKEv2), that let's you
> manage the key we agreed on, without requiring other external
> management protocols.

Indeed, a crucial distinction between a protocol that does the 
necessary math and a protocol that [in addition to that] provides the 
services required by the real world deployment.


> Of course another question might be: Do we need key management? Based
> on operational experience and fixing lots of customer deployment and
> network stability problems, I'd say that's an emphatic YES.

I'm surprised that even the question is brought up!  Isn't it "of 
course"?
-- 
Regards,
Uri
-=-=-<>-=-=-
<Disclaimer>

References:
- Re: SOI schizophrenia
  - From: Jan Vilhuber <vilhuber@cisco.com>

Prev by Date: Re: addresses and IKEv2
Next by Date: Re: SOI schizophrenia
Prev by thread: Re: SOI schizophrenia
Next by thread: RE: ike-modp-groups-04
Index(es):
- Date
- Thread