[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: The Group Domain of Interpretation to Proposed Standard

To: Brian Weis <bew@cisco.com>
Subject: Re: Last Call: The Group Domain of Interpretation to Proposed Standard
From: Dan Harkins <dharkins@tibernian.com>
Date: Tue, 30 Jul 2002 12:13:50 -0700
cc: iesg@ietf.org, msec@securemulticast.org, ipsec@lists.tislabs.com
In-Reply-To: Your message of "Tue, 30 Jul 2002 11:21:46 PDT." <3D46D93A.1101E851@cisco.com>
Sender: owner-ipsec@lists.tislabs.com

  You say it does not "define a new phase 2 of IKE" yet the introduction
says, "The Phase 2 exchange is defined in this document...." You point
out how no namespace changes to RFC2407 or RFC2409 are specified but
leave out the changes to RFC2408 that are required. You mention that
GDOI uses a different port yet all the problems and concerns regarding IKE
that were laid out in the Position Statement do not vanish if IKE is run
on a transport other than UDP port 500. But all these are red herrings.

  The key fact is that it shares considerable state with IKE. It also
requires an IKE SA to protect the phase 2 exchange you define (despite
your protests to the contrary) in the document. To quote section 6.1:

   "GDOI uses the Phase 1 exchanges defined in [RFC2409] to protect the 
    GROUPKEY-PULL exchange. Therefore all security properties and 
    considerations of those exchanges (as noted in [RFC2409]) are 
    relevant for GDOI."

It's all those security properties that are not supposed to be shared
according to the Position Statement. GDOI does nothing to improve the
complexity situation by grafting itself onto IKE, it merely inherits all
the complexity and concerns that are giving people the heebie-geebies
today. That should be indisputable. And that should be cause for rejection
of GDOI as a Proposed Standard.

  Dan.

On Tue, 30 Jul 2002 11:21:46 PDT you wrote
> I'd like to address a couple of common misconceptions about GDOI.
> 
> GDOI does not actually define a new phase 2 of IKE. It does use IKE
> protocol definitions and structures. The GDOI protocol itself however
> seeks to separate itself from IKE in the following ways:
> 
> * Uses a DOI which is discrete from the IPSEC DOI
> * Uses a different port (the draft specifies "MUST NOT run on port 500")
> * Specifies no additions to the namespaces or described in RFC 2407 or
> changes to the protocols described in RFC 2409
> 
> This is a new protocol, not an update to IKE.
> 
> Brian
>

References:
- Re: Last Call: The Group Domain of Interpretation to Proposed Standard
  - From: Brian Weis <bew@cisco.com>

Prev by Date: Re: Last Call: The Group Domain of Interpretation to Proposed Standard
Next by Date: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Prev by thread: Re: Last Call: The Group Domain of Interpretation to Proposed Standard
Next by thread: [IPSec] : exchange mode - query
Index(es):
- Date
- Thread