Re: [IPsec] Secure Crash Discovery for IKEv2

[Yoav Nir <ynir at checkpoint.com>]

Hi all

I sent out this email about a month ago, and the response was, well,  
underwhelming.

We had three responses: one for QCD, one just asking a question, and  
one questioning the need and suggesting that we revive the birth  
certificate idea instead of the two proposed solutions.

Despite this, we still believe this is important for IKE  
implementations, and would like to proceed. A "nightmare scenario" for  
us is to have two competing non-interoperable standards. We had hoped,  
that even though this is not a charter item, and we can't call on the  
group to force a consensus, that we'd hear from enough people to get a  
feel for the opinion of the WG.

So we're asking the participants of this WG again for their opinion  
about the two (well, three if you include birth certificates) options  
for solving the de-synchronization problem.

Thanks in advance

Frederic, Pratima and Yoav

On Aug 6, 2008, at 5:22 PM, Yoav Nir wrote:

> This is a followup to my mini-presentation in Dublin.
>
> The problem we're trying to solve is that of a state de- 
> synchronization between two IKE peers. This could take several  
> minutes to discover and resolve, and no IPsec traffic can flow in  
> that time.
>
> The following Wiki page describes the problem, and two proposed  
> solutions.
>
> http://wiki.tools.ietf.org/wg/ipsecme/trac/wiki/SecureCrashDiscovery
>
> We would like to solicit input from the WG about these two  
> solutions, so that we can either combine them or choose between  
> them, and proceed with a unified draft.
>
> Thanks in advance
>
> Frederic, Pratima and Yoav

_______________________________________________
IPsec mailing list
IPsec at ietf.org
https://www.ietf.org/mailman/listinfo/ipsec