[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"Me Tarzan, You Jane" in IKEv2-05

To: ipsec@lists.tislabs.com
Subject: "Me Tarzan, You Jane" in IKEv2-05
From: Dan Harkins <dharkins@trpz.com>
Date: Fri, 28 Feb 2003 09:09:46 -0800
Sender: owner-ipsec@lists.tislabs.com

  When we began the IKEv2 effort we looked at things in IKEv1 that
at the time sounded like good ideas but in practice were rarely,
if ever, used-- e.g. phase 1 negotiation (hence the 4/6 exchange),
complex SA offers of (((A & B) | (C & D)) | E), etc.-- and we
decided to get rid of them in IKEv2. While these things were rarely
used they had to be supported by all. They're mandatory options. 
I think "Me Tarzan, You Jane" will be another one.

  It is also poorly defined. What sort of identity is used as the
hint? What if the TR payloads are coarse and the identity is fine,
how does the SPD make sure that no packets mix that aren't from that
identity? When you have a pcb (or like data structure) to hang on
to it's possible but not all SAs will necessarily be tied to pcbs.
This is IP we're talking about anyway and identities and applications
are not in the realm of IP. Securing things based on identities or
applications is best left to protocol that have that context, like
TLS/SSL.

  This is a cute feature but I doubt it would be used in practice
and therefore it's just another mandatory option that everyone
has to implement but never use. It's the kind of thing we were
supposed to get rid of in IKEv2. Let's get rid of it.

  thanks,

    Dan.

Follow-Ups:
- Re: "Me Tarzan, You Jane" in IKEv2-05
  - From: Derek Atkins <derek@ihtfp.com>

Prev by Date: CREATE_CHILD_SA exchange in IKEv2-05
Next by Date: the encrypted payload in IKEv2-05
Prev by thread: CREATE_CHILD_SA exchange in IKEv2-05
Next by thread: Re: "Me Tarzan, You Jane" in IKEv2-05
Index(es):
- Date
- Thread