[anonsec] details of IKE/IPsec channel binding
Nicolas Williams
Nicolas.Williams at sun.com
Thu Mar 22 04:47:48 PDT 2007
On Thu, Mar 22, 2007 at 12:12:21PM +0200, Tero Kivinen wrote:
> Nicolas Williams writes:
> > Again, this has to work with IKEv1. Bill so insisted, and I agree.
>
> Hmm... the BTNS charter only talks about "Current Internet Protocol
> security protocol (IPsec) and Internet Key Exchange protocol (IKE)",
> it does not mention IKEv1 anywhere.
>
> The current IPsec and IKE is the RFC430x series, i.e. IKEv2. The old
> RFC240x series is obsoleted.
IKEv1 is certainly not obsoleted. And RFC4301 does support IKEv1, does
it not?
> > We could use this approach when using IKEv2 so it also works when using
> > EAP, and fallback on public keys when IKEv1 is being used, and oh well
> > if you ever get bitten by the problem I described.
>
> I argue should we waste time at all to define anything else than the
> RFC4301 and IKEv2 use. Things were different few years back when this
> work was started...
First I'd like to be convinced that the IKE_SA expiration in the middle
of channel setup is no big deal. That is, I'd like to see consensus on
this. And I'd like input from our AD about whether we need to support
IKEv1.
Nico
--
More information about the ANONSEC
mailing list