[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Results of protocol straw poll



Hi Dan,

Comments below...

Dan Harkins wrote:
> 
>   Comparing PIC and CRACK is also interesting. Both use UDP/500. Both add
> and define payloads. One (which one?) looks like this:
> 
>    hdr, sa, ke, ni         ---->
>                           <----  hdr, sa, ke, nr, id, sig, hash, <new payload>
>    hdr, hash, <new payload> ---->
>                           <---- hdr, hash, <new payload>
> 
>                     repeat last two as needed
> 
> while the other (which one?) looks like this:
> 
>    hdr, sa, ke, ni          ---->
>                             <---- hdr, sa, ke, nr, id, sig
>    hdr, <new payload>       ---->
>                             <---- hdr, <new payload>
> 
>                     repeat last two as needed
> 
> One of these is a change to IKE while the other is not.
> 
>   The main difference between the two seems to be that with PIC you get an
> authenticated Diffie-Hellman and then throw it away and get another
> authenticated Diffie-Hellman before you start doing IPsec while with CRACK
> you get an authenticated Diffie-Hellman and then start doing IPsec.
> 
>   But PIC is very IKE-like. It uses the same payloads. It listens on the same
> port. Given these facts it seems a little disingenuous to keep saying that
> PIC is not changing IKE but CRACK is. Both would end up doing almost exactly
> the same thing. You'd touch almost exactly the same chunks of code to write
> each one and IKE would end up being changed in exactly the same way.
> 
>   Dan.
> 

One significant difference is that CRACK must run on the sgw, while PIC
may not. This is not meant as an endorsement of PIC over CRACK, but
simply a statement of a difference.

I'm working on a (brief) draft comparing the various proposed
alternatives which I should be able to get out to the list within the
next few days. This should aid us in this discussion.

Scott