[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG last call for IPv4 AH and ESP

To: Paul_Lambert-P15452@email.mot.com
Subject: Re: WG last call for IPv4 AH and ESP
From: "Perry E. Metzger" <perry@imsi.com>
Date: Tue, 21 Feb 1995 11:06:18 -0500
Cc: bsimpson@morningstar.com, ipsec@ans.net
In-Reply-To: Your message of "21 Feb 1995 06:54:00 CST." <M25399.001.cs5f0.1.950221135826Z.CC-MAIL*/OU=SECCG/OU=AZBH/PRMD=MOT/ADMD=MOT/C=US/@MHS>
Reply-To: perry@imsi.com


Paul_Lambert-P15452@email.mot.com says:
> >Things have quieted down on this list about AH and ESP, so I have to
> >assume we are ready to implement.  I'm working on integrating Ran's IPv6
> >changes into the text.  Are there any other issues still unresolved?
> 
> There is no reason to have two IPv4 security protocols!

> There should only be one protocol (per San JOse discussions) that provides 
> confidentiality, integrity (a.k.a. authentication), or confidentiality and 
> authentication.

There is just one protocol. The ESP and AH headers are two different
headers, but they function in substantially identical ways.  There is
a need for a transparent authentication only header which the AH
provides -- ESP provides for either confidentiality or confidentiality
and authentication.

This was all decided on a long time ago.  Steve Bellovin explained in
detail in Toronto why we needed both. Other people agreed with
him. Both headers were present in the IPv6 specification. After about
a day of detailed discussion in Toronto, the various members of the
working group, both in and out of formal session, ended up re-deriving
the IPv6 protocols and decided to simply adopt a functional equivalent
for IPv4. This is the recollection of substantially everyone from
Toronto I have spoken to.

I will repeat -- this was all decided on a long time ago, in
Toronto. The drafts Bill Simpson and I produced substantially follow
the consensus on protocols derived in Toronto and the consensus on
security transforms from San Jose. (There is still a combined
Auth-Confidentiality transform draft missing, but we intend to produce
it.) 

There has been no discussion or dispute concerning the underpinnings
of the protocol for the last two months since these drafts came out,
until your last message. There was substantial agreement, in
fact. There have been disputes concerning details like whether the key
should be both pre and postpended in the MD5 keyed auth case and the
like, but there has been no public dispute concerning the basics of
the drafts.

I will note that the IPSEC working group is viewed with disdain by the
IETF for its inability to come to consensus. There has been talk of
disolving the group because of this inability. We now have a
consensus, and I would say that the notion of attempting to alter it
at this late a date, with several implementations pending and with the
next IETF meeting only a month or so away, is contentious and
dangerous.

If you wish to make this into a sufficiently big issue to prevent the
committee from completing its work, you doubtless can find ways to do
so -- in your privileged position as chair there are no end of
dilatory tactics you could employ -- but this would be manifestly
against the interests and desires of the community.

Perry

References:

Re: WG last call for IPv4 AH and ESP

From: Paul_Lambert-P15452@email.mot.com

Prev by Date: Re: WG last call for IPv4 AH and ESP
Next by Date: Re[2]: WG last call for IPv4 AH and ESP
Prev by thread: Re: WG last call for IPv4 AH and ESP
Next by thread: Re[2]: WG last call for IPv4 AH and ESP
Index(es):
- Main
- Thread