[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

General Comments on draft-ipsec-soi-features-00.txt



I've read this document, and I have a few comments (more on the protocols than 
the document itself).  First, thanks to Paul Hoffman for summarizing the key 
points of both protocols.

I don't doubt that both protocols achieve authentication and key generation, 
so I'll focus on operational issues.  In general, I think IKEv2 benefits from 
the experience gained in implementing IKEv1 with respect to operational 
requirements:

authentication by shared secret (IKEv2 has it, JFK doesn't):
I understand that this is an irksome issue, but nonetheless, my experience is 
that users of IKE don't like to be limited in their options for 
authentication methods.  To this end, if SOI excludes shared secret as an 
option for authentication, I think we'd find that we'd have a tough time 
persuading users to migrate from the current IKE.

one phase-vs-two phase argument:
The document brings up a valid point when it describes IKEv2's Phase 1 as a 
"control channel" for IPSec SAs.  The list of management tasks is not to be 
overlooked: creating, deleting, and rekeying existing IPSec SAs, sending 
protected notifies, and doing DPD are all important operational tasks that 
IKEv1 currently supports.  Certainly, in current deployments, I've seen where 
all of the above are important aspects to IKEv1 as a key management protocol.
I think we've also seen in NAT traversal where 2 phases has turned out to be 
useful.

...So there's my $0.02 worth.  I think in a separate thread, there was the 
distinction made between key agreement and key management.  This is an 
important distinction.

-g