Re: Merging IKEv2 and JFKr?

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

Jan is correct here. JFKr was designed without extensibility in mind, 
particularly in that you have to be very careful about the contents 
of the unencrypted and encrypted parts of messages 3 and 4. We won't 
really know until Charlie delivers the first IKEv2 draft with the 
JFKr'd Phase 1, but it is likely to be much less extensible than the 
original IKEv2. It will certainly be harder for implementers to get 
messages 3 and 4 correct.

The WG straw poll didn't show a strong majority favoring either 
proposal. Approximately equal numbers of people said:
- the original IKEv2 Phase 1 was best
- JFKr was better because the responder could always assume he was under attack
The latter arguments aren't consistent because the same thing is true 
for the original IKEv2.

In the original IKEv2, the "difficulty" for an initiator to choose 
what to do when receiving message 3 is pretty minor. If the encrypt 
bit is not turned on, resend with the nonce; if the encrypt bit is 
turned on, continue on as normal.

It would be sad if we ended up restricting ourselves to a 
hard-to-extend IKEv2. The minor "difficulty" in the original IKEv2 
proposal is certainly worth the much lower difficulty in extending 
the protocol for things that this WG wants, such as standardized 
legacy authentication and remote access.

--Paul Hoffman, Director
--VPN Consortium