[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Position statement on IKE development

Dan Harkins writes:
 >   I discussed this in Minneapolis. The plan is to combine ISAKMP, IKE,
 > and the IPsec DOI into a single draft describing a key management
 > protocol for IPsec. 
 >   The intent, as well-meaning as it was, was to have a generic language 
 > (ISAKMP) in which to describe a key management protocol and there could
 > be many key management protocols with IKE as just one of them. IKE, then,
 > was supposed to be a generic key exchange protocol which could create 
 > "SAs" for multiple services, of which IPsec (specified in the DOI) was 
 > just one. But IKE is the only thing that used ISAKMP and the other two
 > DOI documents-- OSPF and RIP-- died a quiet death.

   Not entirely correct. KINK is using ISAKMP payloads
   (sa, id, nonce, ke, notify, delete, ie quick mode).
   IMO, the logical split here is between authentication
   and IPsec SA establishment. The former is *always*
   a far harder problem than the latter.