[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KINK should referenece to IKEv2?

To: Shoichi Sakane <sakane@xxxxxxxx>
Subject: Re: KINK should referenece to IKEv2?
From: Sam Hartman <hartmans-ietf@xxxxxxx>
Date: Wed, 02 Feb 2005 14:19:35 -0500
Cc: mat@xxxxxxxxx, ietf-kink@xxxxxxxx, kent@xxxxxxx
In-reply-to: <> (Shoichi Sakane's message of "Wed, 02 Feb 2005 11:14:06 +0900")
List-archive: <http://www.vpnc.org/ietf-kink/mail-archive/>
List-id: <ietf-kink.vpnc.org>
List-unsubscribe: <mailto:ietf-kink-request@vpnc.org?body=unsubscribe>
References: <> <>
Sender: owner-ietf-kink@xxxxxxxxxxxxx
User-agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)

[Adding Steve to make sure I'm not misrepresenting what he means.]

>>>>> "Shoichi" == Shoichi Sakane <sakane@xxxxxxxx> writes:

    >> Somebody will need to help me (us) here: can IKEv1 successfully
    >> establish 2401bis SA's? Can IKEv2 successfully establish 2401
    >> SA's? I'm _guessing_ that the answer to both is "yes", but the
    >> big question is whether there's anything in IKEv2 what is
    >> exchanged across the wire to inform the other side whether it's
    >> 2401 or 2401bis. If so, we may need a similar mechanism.

    Shoichi> Stephan Kent who is 2401bis author answered to my
    Shoichi> question in the ipsec mailing list:

    Shoichi> 	2401bis implicitly establishes requirements for
    Shoichi> certain features for a key/SA management protocol to
    Shoichi> enable systems to make full use of the IPsec features
    Shoichi> defined in 2401bis. IKEv2 satisfies these requirements;
    Shoichi> IKE v1 does not. It's way too late to suggest that we
    Shoichi> degrade requirements in 2401bis to be backwards
    Shoichi> compatible with IKE v1.

    Shoichi> it seems that IKEv1 does not work on 2401bis.

That's not how I read what Steve is saying.  A 2401bissystem can
support IKEv1.  However the 2401bis SPD can require the system to do
things that IKEv1 cannot do.

Put another way, a 2401bis system can have multiple key management
protocols.  At least one of these protocols needs to support all the
attributes of a 2401bis SPD.  For this reason and because it is
explicitly required, 2401bis systems MUST support ikev2.

I'm not trying to require Kink to support all features that 2401bis
requires from a key management protocol.  It's fine if on a 2401bis
system sometimes the IPsec architecture requests Kink to set up a SA
but Kink fails because it does not support something about the SA.

What I am requiring is that Kink work with a 2401bis system.  That is,
the Kink specification needs to use the same terminology and model as
2401bis.  Similarly it needs to be possible to implement Kink on a
2401bis system and the only problem should be that some features
2401bis would like to have from an automated key management protocol
are not available.

--Sam

Follow-Ups:
- Re: KINK should referenece to IKEv2?
  - From: Michael Thomas
- Re: KINK should referenece to IKEv2?
  - From: Stephen Kent

References:
- Re: KINK should referenece to IKEv2?
  - From: Michael Thomas
- Re: KINK should referenece to IKEv2?
  - From: Shoichi Sakane

Prev by Date: Re: KINK issue list rev.2
Next by Date: Re: KINK should referenece to IKEv2?
Previous by thread: Re: KINK should referenece to IKEv2?
Next by thread: Re: KINK should referenece to IKEv2?
Index(es):
- Date
- Thread