Hi all,
I took a look at draft-ietf-lwig-ikev2-minimal-00 since I volunteered at
the last IETF meeting.
The specification describes a subset of IKEv2 that utilizes shared
secrets (although the appendix also talks about raw public key usage,
which is not mentioned in the introduction). By cutting various options
and the support of PKI-based authentication the result is less complex
than the original version.
The document does not talk about cryptographic algorithm choices nor
does it talk about IPsec (which would be required for a complete
security implementation). Is that a problem? Not necessarily. It is
rather a matter of scope.
The document is, from a style point of view, quite different to
draft-ietf-lwig-tls-minimal-00. It is interesting to see how different
authors approach the same task differently.
I do not necessarily need to see a need to change the style and the
abstract says what the document is trying to accomplish. It might
nevertheless be helpful to note in the abstract that the document talks
about raw public keys as well or, if you believe the main focus is on
shared secrets, then put the shared secret authentication somewhere in
the title.
An interesting aspect of IKEv2, which is helpful in light of the
recently discovered issues with the pervasive surveillance, is that
IKEv2 uses a mandatory Diffie-Hellman exchange, which provides PFS. It
makes the protocol more heavyweight but that's good for security.
Tero obviously knows IKEv2 and so there are no issues with the content
of the document. I know that Tero had a working implementation and that
increases my confidence in the quality of the write-up even more.
In a nutshell, I believe it is a good document.
My suggestion is to get it to the IESG as soon as possible. No reason to
wait.
Ciao
Hannes
_______________________________________________
Lwip mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/lwip
