Re: Son of IKE: A proposal for moving forward

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 9:43 AM -0700 6/12/02, Michael Thomas wrote:
>The one thing I don't see here is any
>consideration of the very basic question of
>whether there are in fact two different problem
>spaces.

There are certainly more than two.

Michael is correct here in that we cannot evaluate the WG questions 
for the general problem of keying all possible uses of IPsec. Well, 
we can try, but it would be a waste of time (but typical of many IETF 
Working Groups...). At the end of the effort, we would probably have 
no general agreement on the significant questions.

Having said that, and showing my obvious bias towards VPNs, I propose 
that as we answer the questions, we do so with today's VPN customers 
in mind. These folks mostly do two things:

a) gateway-to-gateway, with each gateway possibly connecting to many 
other gateways

b) access over modems (or faster) from remote single-user computers

Let's get SOI done right for these customers.

Doing so doesn't prevent work from a different key exchange mechanism 
that addresses a different use case; the most obvious one that 
probably won't match with the use case above is remote access where 
there is a need for very quick keying, or where the remote parties 
have relatively slow CPUs, or where the remote parties have only 
small amounts of program memory, or some combination of these.

The work we have done in the past few months can help focus the 
feature sets for each of these efforts, as well as for other efforts 
that might arise later. But let's not pretend that we can do it all 
at once in a single protocol -- we know we can't, and we have good 
evidence that we can waste a lot of time trying.

--Paul Hoffman, Director
--VPN Consortium