On 4/23/2009 3:57 PM, Tero Kivinen wrote:
Lakshminath Dondeti writes:
When did MOBIKE come into picture? What are you saying Tero, that IPsec
session resumption is an alternative to MOBIKE and a slow one at that?
Yes.
Both solve the same problem that IKE SA recovers from the IP-address
change, or switching from one network to another (i.e. from cellular
to WLAN).
I do not really see any fundamental reason why the IKE SA needs to be
taken down when in cellular. I can see reasons why it might not be
needed, but the IKE SA could still be kept up and running, and if done
that way, then MOBIKE will offer solution how to move the IKE SA to
the new network, and it will mostly do it in 1 RT.
MOBIKE assumes that the other side has state, correct? Session
resumption has to do with providing that state. How are they the same?
"Annoy" being the keyword. I am now more convinced that we are really
making the protocol inefficient because some kid might try to annoy some
people some time. To counter such potential annoyances which may not
happen at any frequency that matters, we are going to sacrifice the user
experience all the time?
I am saying we are not sacrificing the user experience in any
noticeable way even if we do 2 RT protocol. I expect that 99.999%
users will never notice whether the 1 RT or 2 RT protocol was used if
there is no attack. On the other hand, 100% users will notice the
attacks if 1 RT protocol is used, and 0% of users will notice the
attacks if 2 RT protocol is used.
Under attack, the protocol stretches to 3 RTs. So, you are saying that
there is no noticeable difference between 1 and 2 RTs, but there is
between 2 and 3? Is your point that the DH computation will be noticed?
My point is that we'd beyond the real-time budgets after 1 RT anyway.
Now of course, to prove any of this (as opposed to your word against
mine), we have to workout test scenarios and the like and measure user
perception (we can throw in 5 9's all we want, but people spend millions
on real perception testing). All I am asking for is for the group to
realize that there are cases where the budgets are low and therefore
allow the 1 RT exchange.
regards,
Lakshminath
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
