SKIP in IPSEC: is it really simple?
HUGO@watson.ibm.com Thu, 12 September 1996 16:17 UTC
Received: from relay.hq.tis.com by neptune.TIS.COM id aa26383; 12 Sep 96 12:17 EDT
Received: by relay.hq.tis.com; id MAA11823; Thu, 12 Sep 1996 12:20:48 -0400
From: HUGO@watson.ibm.com
MMDF-Warning: Parse error in original version of preceding line at neptune.TIS.COM
Received: from sol.hq.tis.com(10.33.1.100) by relay.tis.com via smap (V3.1.1) id xma011816; Thu, 12 Sep 96 12:20:24 -0400
Received: from relay.hq.tis.com by tis.com (4.1/SUN-5.64) id AA21113; Thu, 12 Sep 96 12:19:32 EDT
Received: by relay.hq.tis.com; id MAA11809; Thu, 12 Sep 1996 12:20:19 -0400
Received: from igw2.watson.ibm.com(129.34.139.6) by relay.tis.com via smap (V3.1.1) id xma011800; Thu, 12 Sep 96 12:20:05 -0400
Received: from mailhub1.watson.ibm.com (mailhub1.watson.ibm.com [9.2.249.31]) by igw2.watson.ibm.com (8.7.4/8.7.1) with ESMTP id MAA79107; Thu, 12 Sep 1996 12:20:18 -0400
Received: from yktvmv.watson.ibm.com (yktvmv.watson.ibm.com [9.117.33.29]) by mailhub1.watson.ibm.com (8.7.1/09-08-96) with SMTP id MAA529798; Thu, 12 Sep 1996 12:19:44 -0400
Message-Id: <199609121619.MAA529798@mailhub1.watson.ibm.com>
Received: from YKTVMV by yktvmv.watson.ibm.com (IBM VM SMTP V2R3) with BSMTP id 5799; Thu, 12 Sep 96 12:19:42 EDT
Date: Thu, 12 Sep 1996 12:03:11 -0400
To: skrenta@osmosys.incog.com, ipsec@TIS.COM
Subject: SKIP in IPSEC: is it really simple?
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Ref: Your note of Wed, 11 Sep 1996 17:42:53 -0700 (PDT) (attached) > > What is misleading to say is that SKIP has as high an overhead at startup > as an Oakley exchange, when the overhead in practice is considerably less. > It is also misleading to say that one can't have PFS in SKIP without > throwing out all of SKIP's advantages; this isn't true. I haven't said or implied that. Any real advantages of SKIP can be added into the ISAKMP/Oakley framework (in particular, I was personally all for a convergence of all these protocols which is technically feasible, but unfortunately failed). > > This may well be a matter of religion, and not technical merit. > Some will choose to start with a simple protocol, and build upon that. > Others advocate designing a large, heavyweight protocol which offers > every conceivable feature (except statelessness, that is) from the start. The point is not to start with a heavyweight protocol that gives you every conceivable feature (and even statelessness if you want) but to start with a set of required features (eg PFS and anonymity as WG requirements, and secure/fresh handshakes as my *personal* requirement :) and have the right framework to build more features into it in the future. > > > ISAKMP/Oakley, on the other hand, has several security advantages > > over SKIP > > Having to stop and renegotiate a session to change the traffic key is not > an advantage. You do not have to stop to renegotiate a key, For example we have continouous encrypted/authenticated video running with key refreshments in between. > > It is also incorrect to say that SKIP forces the Internet to standardize > on a single g and p; this is once again an administrative issue. Our > implementation currently supports as many local (g, p, i) identities as Notice the word *local*: I meant a solution that scales to the whole Internet where not only *local parties* can communicate and inter-operate. > the administrator cares to configure. It must, in order to support > simultaneous interoperability with products deployed to the different > rings of the US export law hell (2048 US, 1024 Swiss banks, 512 non-US). > > > In any event, it's clear that there hasn't been, and won't be, consensus > to back one KMP exclusively. Continuing to delay further is pointless. > Let's have all existing KMPs proceed within the WG with the same status > as soon as possible. > My personal vote here is against co-existence. That will postpone global success (inter-operability) even more. There will be time to tune the one chosen protocol later with experience. But there should be one basis for all. Hugo