[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: KINK should referenece to IKEv2?

[Adding Steve to make sure I'm not misrepresenting what he means.]

>>>>> "Shoichi" == Shoichi Sakane <sakane@xxxxxxxx> writes:

    >> Somebody will need to help me (us) here: can IKEv1 successfully
    >> establish 2401bis SA's? Can IKEv2 successfully establish 2401
    >> SA's? I'm _guessing_ that the answer to both is "yes", but the
    >> big question is whether there's anything in IKEv2 what is
    >> exchanged across the wire to inform the other side whether it's
    >> 2401 or 2401bis. If so, we may need a similar mechanism.

    Shoichi> Stephan Kent who is 2401bis author answered to my
    Shoichi> question in the ipsec mailing list:

    Shoichi> 	2401bis implicitly establishes requirements for
    Shoichi> certain features for a key/SA management protocol to
    Shoichi> enable systems to make full use of the IPsec features
    Shoichi> defined in 2401bis. IKEv2 satisfies these requirements;
    Shoichi> IKE v1 does not. It's way too late to suggest that we
    Shoichi> degrade requirements in 2401bis to be backwards
    Shoichi> compatible with IKE v1.

    Shoichi> it seems that IKEv1 does not work on 2401bis.

That's not how I read what Steve is saying.  A 2401bissystem can
support IKEv1.  However the 2401bis SPD can require the system to do
things that IKEv1 cannot do.

Put another way, a 2401bis system can have multiple key management
protocols.  At least one of these protocols needs to support all the
attributes of a 2401bis SPD.  For this reason and because it is
explicitly required, 2401bis systems MUST support ikev2.

I'm not trying to require Kink to support all features that 2401bis
requires from a key management protocol.  It's fine if on a 2401bis
system sometimes the IPsec architecture requests Kink to set up a SA
but Kink fails because it does not support something about the SA.

What I am requiring is that Kink work with a 2401bis system.  That is,
the Kink specification needs to use the same terminology and model as
2401bis.  Similarly it needs to be possible to implement Kink on a
2401bis system and the only problem should be that some features
2401bis would like to have from an automated key management protocol
are not available.