[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Results of protocol straw poll



  Touching IKE seems to be allowed if you say, "I am not touching IKE" and
then proceed to touch IKE. The Group DOI draft in the MSEC WG does exactly
what XAUTH did (create another post-phase 1 exchange). That is permissible
while XAUTH/Hybrid is not for some strange reason.

  Comparing PIC and CRACK is also interesting. Both use UDP/500. Both add
and define payloads. One (which one?) looks like this:

   hdr, sa, ke, ni         ---->
                          <----  hdr, sa, ke, nr, id, sig, hash, <new payload>
   hdr, hash, <new payload> ---->
                          <---- hdr, hash, <new payload>

                    repeat last two as needed

while the other (which one?) looks like this:

   hdr, sa, ke, ni          ---->
                            <---- hdr, sa, ke, nr, id, sig
   hdr, <new payload>       ----> 
                            <---- hdr, <new payload>

                    repeat last two as needed

One of these is a change to IKE while the other is not.

  The main difference between the two seems to be that with PIC you get an 
authenticated Diffie-Hellman and then throw it away and get another 
authenticated Diffie-Hellman before you start doing IPsec while with CRACK 
you get an authenticated Diffie-Hellman and then start doing IPsec. 

  But PIC is very IKE-like. It uses the same payloads. It listens on the same 
port. Given these facts it seems a little disingenuous to keep saying that
PIC is not changing IKE but CRACK is. Both would end up doing almost exactly
the same thing. You'd touch almost exactly the same chunks of code to write
each one and IKE would end up being changed in exactly the same way.

  Dan.
 
On Sun, 06 May 2001 19:12:15 +0300 you wrote
> 
> I voted for PIC because my understanding is that touching IKE is a no-no, rul
>ing 
> out all these protocols. If IKE can be changed (I want area directors to stat
>e
> this, please), I might vote differently. In particular I might vote for some
> combination of PIC and CRACK.