Re: Regarding pre-round trip for stateless cookie (Jan's issue)

[Radia Perlman - Boston Center for Networking <Radia.Perlman@sun.com>]

Just thought I'd clarify something Paul Hoffman said (and again,
I changed the subject line to focus on the technical issue).

>>	From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

>>	- JFKr was better because the responder could always assume he was under 
attack
>>	The latter arguments aren't consistent because the same thing is true 
>>	for the original IKEv2.

Just because I had to read the above a few times before I understood what
he was saying, I thought I'd restate it in my own words.

What he's saying is that with the "4/6" design, if it's hard for
Bob to make a decision about whether he thinks he's under attack,
then he can always assume he's under attack, and always do the
6-message exchange.

The downside of the 6-message exchange is the extra round trip.
The downside of "4" are the implementation issues Jan raised, and
it is more complicated to specify and understand.

One other thing I was going to say in response to Jan's comment:
>>I expect there's not that many ways to skin this cat.

A quote I read once (forgot who said it) and can't resist sharing is
  "If there's more than one way to skin a cat, I don't want to hear about it"
  


:-)

Radia