Re: SOI QUESTION: 4.1 Control channel vs. separate protocols

[Jan Vilhuber <vilhuber@cisco.com>]

On Tue, 25 Jun 2002, Theodore Ts'o wrote:

>
> Notes from the chair:
>
> This question basically introduces the various questions raised by
> section 4 of the soi-features document, which goes to one of the biggest
> differences to the JFK and IKEv2 approach.
>
>
> 4. One or two phases
>
> 4.1 Control channel vs. separate protocols
>
> 4.1.A) [Meta question, that will be answered by the other questions in
> section 4.]  Does SOI need a control channel for SA management?  Or is
> it acceptable to piggy back SA management as a part of other parts of
> the SOI protocol?
>

As has been pointed out, if you believe that there will be a need for
multiple SA's between two peers, then an SA management channel is
required to amortize the cost of the authentication.

Based on the requirements document (Qos issues raised in several
places, multiple tunnels between two SGW's, PE-to-PE encryption (which
is similar to 'multiple tunnels between two SGW's), etc), I believe
multiple SA's between peers is going to be needed.

It also simplifies keepalives, delete notifications, and anything else
needed to try to keep an ipsec connection healthy, which would
otherwise have to be implemented in some other way (which seems more
dangerous. I'd rather analyze a single protocol, than a suite of
protocols).

jan


> Implications from the Scenarios:
>
> VPN: <<<This calls out a need for either a two-phased approach for
> SOI, or a single-phased approach that is sufficiently fast, where
> "fast" represents an optimal combination of "number of messages" and
> "computational expenditure".>>> [[[4.1]]]
>
>

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

http://www.eff.org/cafe