|
I noticed something at tonight’s Bar BOF that I
believe will be a critical factor in whether an eventual BOF succeeds: different
groups seemed to have very different scenarios they were trying to address
(which is OK) and they didn’t seem to understand or respect the important
scenarios of the other groups (which is not). As I see it, there are four things the IPsec Failover
protocol is trying to save over just redoing a fresh IKE exchange in the case
of failover. The first two relate solely to performance; the second two have
user visible implications. 1)
The cost of a fresh Diffie-Hellman calculation. 2)
The cost of two round trips during the exchange. 3)
Rerunning an EAP exchange that could involve user
participation. 4)
Keeping the “internal” IP address so that
open tunneled TCP connections can stay open and applications that cache the
client’s IP address don’t need to be restarted. The protocol being proposed could facilitate achieving all
of those goals in their particular scenarios. Some people seemed to believe
that (4) was the really important consideration and the others were
nice-to-have. Others seemed to think that 1-3 were the important considerations
and (4) was unrealistic. It is unrealistic in some scenarios, but very realistic
in others. MOBIKE provides such capabilities, and it would be worth exploring
how much overlap there is in the goals of these two protocols. There may have
been people who valued different subsets of those features who weren’t
quite as vocal. If these groups want to jointly present a proposal (and the
chances of success are much greater if they do), they need to learn to (at
least in “public”) speak respectfully of the needs of the other
groups – which probably implies understanding them. It appears there is
an “everybody wins” protocol on the table; we just all need to get
behind it (and its successors). --Charlie |