Re: SOI schizophrenia

[Michael Thomas <mat@cisco.com>]

Jan Vilhuber writes:
 > On Wed, 15 May 2002, Michael Thomas wrote:
 > 
 > > 
 > > I admit it. I'm having a real hard time deciding
 > > which design philosophy is actually more
 > > appropriate for SOI. I've vacillated quite a few
 > > times and it doesn't seem like it's about to abate
 > > any time soon. What Paul's document tells me
 > > (which pretty jibes with my own judgement) is that
 > > both protocols are vast improvements over IKE, and
 > > they seem to reach quite similar conclusions on
 > > the basic message exchanges. Both put effort into
 > > DoS, and simplify the on-wire combinatorial
 > > explosion of SA establishment. All in all, they
 > > both seem competent.
 > > 
 > 
 > They are both competent from a cryptography point of view, but only
 > one actually allows key management in any sane way. I think that's
 > where the two part company, and we as a group need to decide which is
 > more appropriate: A key *agreement* protocol (JFK) which will require
 > other protocols (ICMP? Right..) to help solve the current deployment
 > stability, or a key *management* protocol (IKEv2), that let's you
 > manage the key we agreed on, without requiring other external
 > management protocols.

   I don't understand what you mean by "management"
   in this context. JFK can add and delete SA, and
   assigns lifetimes to them. It seems light on a
   DPD scheme, but that seems like a negotiable
   item. Two phases is just an optmization.

   What am I missing?

	   Mike