[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Results of protocol straw poll
Hi Dan,
Comments below...
Dan Harkins wrote:
>
> Comparing PIC and CRACK is also interesting. Both use UDP/500. Both add
> and define payloads. One (which one?) looks like this:
>
> hdr, sa, ke, ni ---->
> <---- hdr, sa, ke, nr, id, sig, hash, <new payload>
> hdr, hash, <new payload> ---->
> <---- hdr, hash, <new payload>
>
> repeat last two as needed
>
> while the other (which one?) looks like this:
>
> hdr, sa, ke, ni ---->
> <---- hdr, sa, ke, nr, id, sig
> hdr, <new payload> ---->
> <---- hdr, <new payload>
>
> repeat last two as needed
>
> One of these is a change to IKE while the other is not.
>
> The main difference between the two seems to be that with PIC you get an
> authenticated Diffie-Hellman and then throw it away and get another
> authenticated Diffie-Hellman before you start doing IPsec while with CRACK
> you get an authenticated Diffie-Hellman and then start doing IPsec.
>
> But PIC is very IKE-like. It uses the same payloads. It listens on the same
> port. Given these facts it seems a little disingenuous to keep saying that
> PIC is not changing IKE but CRACK is. Both would end up doing almost exactly
> the same thing. You'd touch almost exactly the same chunks of code to write
> each one and IKE would end up being changed in exactly the same way.
>
> Dan.
>
One significant difference is that CRACK must run on the sgw, while PIC
may not. This is not meant as an endorsement of PIC over CRACK, but
simply a statement of a difference.
I'm working on a (brief) draft comparing the various proposed
alternatives which I should be able to get out to the list within the
next few days. This should aid us in this discussion.
Scott