[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC at Dec IETF
"William Allen Simpson" says:
> > Presentations are currently scheduled to discuss the proposals for IPSP (a
new
> > I-D will be out next week).
>
> I propose we abandon IPSP.
>
> I propose we accept Ran Atkinson's IPv6 Authentication Header draft for
> IPv4 without any changes.
I second the proposal with one modification -- there should be a short
document explaining the differences in usage. Also, Ran's document
needs to be cleaned up a bit. Ran's auth header was essentially what
was agreed to during our deliberations.
> I propose we accept Ran Atkinson's IPv6 Encapsulating Security Header
> draft for IPv4 with a small change, which is to move the next header,
> length and padding information to the trailer. This is similar to what
> Karn has been demonstrating for a year now, and nobody else has come out
> with anything better!
Personally, I radically prefer what we came up with at the last IETF,
which was simply
[32bits of SAID]
[STUFF]
such that the entire package was 64 bit aligned, since after all
everything on earth in the IPng world is 64 bit aligned. It seems to
me that ESP as written gratuitously wastes lots of space to 64 bit
align essentially 8 bits of data inside the packet. By leaving such
internals up to the security transform, we allow high speed hardware
to use new defined transforms that align things and we allow people
operating IPv4 with software encryption over slip links to still get
performance, and everyone becomes happy. However, if Ran can't be
convinced that this is a Bad Thing I'd rather be compatible than
noncompatible.
> Any other presentation had better have running code, or we certainly
> shouldn't consider it.
There may be a swIPe/Ran's proposal hybrid running on v4, that is to
say, swIPe hacked to do the v6 auth/encrypt headers instead of swIPe
headers. No promises, though.
Perry
References: