[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Revised SOI Internet Draft to be posted

To: ipsec@lists.tislabs.com
Subject: Revised SOI Internet Draft to be posted
From: Charlie_Kaufman@notesdev.ibm.com
Date: Mon, 14 Oct 2002 18:05:35 -0400
Sender: owner-ipsec@lists.tislabs.com





I have just sent to the internet drafts editor a revised draft:
draft-ietf-ipsec-ikev2-03.txt . I don't know how long it takes to get such
things posted, I don't have a public web site to post it on, and it seemed
rude to spam this list with such a large document. I've sent copies to a
few people in hopes that one of them can post it and announce its
availability here. I am unfortunately going to out of town for the rest of
this week and so will likely not be able to mail out copies myself.

This draft contains a number of changes that have turned out to be
controversial. I was hoping to resolve the controversies before posting the
draft, but it has become clear that isn't going to happen. I hope the
revised draft can focus the debate. I am not trying to preempt any debate;
I'm happy to make is say whatever the working group wants.

The controversies are:

1) Instead of a 4 message exchange that sometimes becomes 6 (as in earlier
versions of IKEv2), the protocol is modified to always require 4 messages
to set up the initial SAs (as in JFK). While this sounds simpler, it is
arguably more complex and some people are arguing to change it back.

2) Instead of negotiation all cryptographic algorithms separately, they are
negotiated as "suites". This greatly simplifies the specification, but some
people claim it is too inflexible and makes implementations harder to test.
They would like to change it back. If we continue with suites, we will
presumeably have to specify more suites. I have only specified two: one for
IKE and one for ESP. I tried to specify the algorithms in most common use
today, which I believe are based on SHA-1 and 3DES.

There has also been some discussion of whether some of the deployed
extensions (such an authentication protocol tuned for use with weak
passwords and firewall traversal) should be specified in the base document.

          --Charlie Kaufman

Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).

Follow-Ups:
- Re: Revised SOI Internet Draft to be posted
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
- EC2N/EC2P
  - From: Ramana Yarlagadda <ramana.yarlagadda@analog.com>

Prev by Date: Re: draft-gupta-ospf-ospfv3-auth-01.txt
Next by Date: Re: Revised SOI Internet Draft to be posted
Prev by thread: Re: draft-gupta-ospf-ospfv3-auth-01.txt
Next by thread: Re: Revised SOI Internet Draft to be posted
Index(es):
- Date
- Thread