Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101])
 by above.proper.com (8.11.6/8.11.3) with ESMTP id g4GLj3L27062;
 Thu, 16 May 2002 14:45:03 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id RAA08561
 Thu, 16 May 2002 17:10:43 -0400 (EDT)
From: Michael Thomas <mat@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15588.9007.583427.780174@thomasm-u1.cisco.com>
Date: Thu, 16 May 2002 14:22:55 -0700 (PDT)
To: Jan Vilhuber <vilhuber@cisco.com>
Cc: Michael Thomas <mat@cisco.com>, ipsec@lists.tislabs.com
Subject: Re: SOI schizophrenia
In-Reply-To: <Pine.LNX.4.21.0205161337340.2302-100000@localhost>
References: <15586.62572.905659.469261@thomasm-u1.cisco.com>
 <Pine.LNX.4.21.0205161337340.2302-100000@localhost>
X-Mailer: VM 6.72 under 21.1 (patch 6) "Big Bend" XEmacs Lucid
X-Face: &, heK/V66p?[2!i|tVn,
 9lN0TUvEv7:9FzXREj/AuzN4m<D]vnFJ>u!4x[/Z4t{V}~L]+Sk
 @RFNnJEg~WZ/(8<`5a), -7ukALWa^&?&D2R0CSG3kO5~#6JxLF\d,
 g">$%B!0w{W)qIhmwhye104zd bUcI'1!
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

Jan Vilhuber writes:
 > On Wed, 15 May 2002, Michael Thomas wrote:
 > 
 > > 
 > > I admit it. I'm having a real hard time deciding
 > > which design philosophy is actually more
 > > appropriate for SOI. I've vacillated quite a few
 > > times and it doesn't seem like it's about to abate
 > > any time soon. What Paul's document tells me
 > > (which pretty jibes with my own judgement) is that
 > > both protocols are vast improvements over IKE, and
 > > they seem to reach quite similar conclusions on
 > > the basic message exchanges. Both put effort into
 > > DoS, and simplify the on-wire combinatorial
 > > explosion of SA establishment. All in all, they
 > > both seem competent.
 > > 
 > 
 > They are both competent from a cryptography point of view, but only
 > one actually allows key management in any sane way. I think that's
 > where the two part company, and we as a group need to decide which is
 > more appropriate: A key *agreement* protocol (JFK) which will require
 > other protocols (ICMP? Right..) to help solve the current deployment
 > stability, or a key *management* protocol (IKEv2), that let's you
 > manage the key we agreed on, without requiring other external
 > management protocols.

   I don't understand what you mean by "management"
   in this context. JFK can add and delete SA, and
   assigns lifetimes to them. It seems light on a
   DPD scheme, but that seems like a negotiable
   item. Two phases is just an optmization.

   What am I missing?

	   Mike