[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: KINK should referenece to IKEv2?
[Adding Steve to make sure I'm not misrepresenting what he means.]
>>>>> "Shoichi" == Shoichi Sakane <sakane@xxxxxxxx> writes:
>> Somebody will need to help me (us) here: can IKEv1 successfully
>> establish 2401bis SA's? Can IKEv2 successfully establish 2401
>> SA's? I'm _guessing_ that the answer to both is "yes", but the
>> big question is whether there's anything in IKEv2 what is
>> exchanged across the wire to inform the other side whether it's
>> 2401 or 2401bis. If so, we may need a similar mechanism.
Shoichi> Stephan Kent who is 2401bis author answered to my
Shoichi> question in the ipsec mailing list:
Shoichi> 2401bis implicitly establishes requirements for
Shoichi> certain features for a key/SA management protocol to
Shoichi> enable systems to make full use of the IPsec features
Shoichi> defined in 2401bis. IKEv2 satisfies these requirements;
Shoichi> IKE v1 does not. It's way too late to suggest that we
Shoichi> degrade requirements in 2401bis to be backwards
Shoichi> compatible with IKE v1.
Shoichi> it seems that IKEv1 does not work on 2401bis.
That's not how I read what Steve is saying. A 2401bissystem can
support IKEv1. However the 2401bis SPD can require the system to do
things that IKEv1 cannot do.
Put another way, a 2401bis system can have multiple key management
protocols. At least one of these protocols needs to support all the
attributes of a 2401bis SPD. For this reason and because it is
explicitly required, 2401bis systems MUST support ikev2.
I'm not trying to require Kink to support all features that 2401bis
requires from a key management protocol. It's fine if on a 2401bis
system sometimes the IPsec architecture requests Kink to set up a SA
but Kink fails because it does not support something about the SA.
What I am requiring is that Kink work with a 2401bis system. That is,
the Kink specification needs to use the same terminology and model as
2401bis. Similarly it needs to be possible to implement Kink on a
2401bis system and the only problem should be that some features
2401bis would like to have from an automated key management protocol
are not available.