[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Merging IKEv2 and JFKr?
Jan is correct here. JFKr was designed without extensibility in mind,
particularly in that you have to be very careful about the contents
of the unencrypted and encrypted parts of messages 3 and 4. We won't
really know until Charlie delivers the first IKEv2 draft with the
JFKr'd Phase 1, but it is likely to be much less extensible than the
original IKEv2. It will certainly be harder for implementers to get
messages 3 and 4 correct.
The WG straw poll didn't show a strong majority favoring either
proposal. Approximately equal numbers of people said:
- the original IKEv2 Phase 1 was best
- JFKr was better because the responder could always assume he was under attack
The latter arguments aren't consistent because the same thing is true
for the original IKEv2.
In the original IKEv2, the "difficulty" for an initiator to choose
what to do when receiving message 3 is pretty minor. If the encrypt
bit is not turned on, resend with the nonce; if the encrypt bit is
turned on, continue on as normal.
It would be sad if we ended up restricting ourselves to a
hard-to-extend IKEv2. The minor "difficulty" in the original IKEv2
proposal is certainly worth the much lower difficulty in extending
the protocol for things that this WG wants, such as standardized
legacy authentication and remote access.
--Paul Hoffman, Director
--VPN Consortium