[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
General Comments on draft-ipsec-soi-features-00.txt
I've read this document, and I have a few comments (more on the protocols than
the document itself). First, thanks to Paul Hoffman for summarizing the key
points of both protocols.
I don't doubt that both protocols achieve authentication and key generation,
so I'll focus on operational issues. In general, I think IKEv2 benefits from
the experience gained in implementing IKEv1 with respect to operational
requirements:
authentication by shared secret (IKEv2 has it, JFK doesn't):
I understand that this is an irksome issue, but nonetheless, my experience is
that users of IKE don't like to be limited in their options for
authentication methods. To this end, if SOI excludes shared secret as an
option for authentication, I think we'd find that we'd have a tough time
persuading users to migrate from the current IKE.
one phase-vs-two phase argument:
The document brings up a valid point when it describes IKEv2's Phase 1 as a
"control channel" for IPSec SAs. The list of management tasks is not to be
overlooked: creating, deleting, and rekeying existing IPSec SAs, sending
protected notifies, and doing DPD are all important operational tasks that
IKEv1 currently supports. Certainly, in current deployments, I've seen where
all of the above are important aspects to IKEv1 as a key management protocol.
I think we've also seen in NAT traversal where 2 phases has turned out to be
useful.
...So there's my $0.02 worth. I think in a separate thread, there was the
distinction made between key agreement and key management. This is an
important distinction.
-g