The one thing I don't see here is any
consideration of the very basic question of
whether there are in fact two different problem
spaces.
There are certainly more than two.
Michael is correct here in that we cannot evaluate the WG questions
for the general problem of keying all possible uses of IPsec. Well,
we can try, but it would be a waste of time (but typical of many IETF
Working Groups...). At the end of the effort, we would probably have
no general agreement on the significant questions.
Having said that, and showing my obvious bias towards VPNs, I propose
that as we answer the questions, we do so with today's VPN customers
in mind. These folks mostly do two things:
a) gateway-to-gateway, with each gateway possibly connecting to many
other gateways
b) access over modems (or faster) from remote single-user computers
Let's get SOI done right for these customers.
Doing so doesn't prevent work from a different key exchange mechanism
that addresses a different use case; the most obvious one that
probably won't match with the use case above is remote access where
there is a need for very quick keying, or where the remote parties
have relatively slow CPUs, or where the remote parties have only
small amounts of program memory, or some combination of these.
The work we have done in the past few months can help focus the
feature sets for each of these efforts, as well as for other efforts
that might arise later. But let's not pretend that we can do it all
at once in a single protocol -- we know we can't, and we have good
evidence that we can waste a lot of time trying.