[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WG last call for IPv4 AH and ESP




"Housley, Russ" says:
> Personally, I am not convinced that the Internet community is well served 
> by four network layer security protocols.  IPv4-ESP, IPv4-AH, IPv6-ESP, 
> IPv6-AH is too much.  Each of these specifies a different syntax for the 
> protocol data unit, and thus, each will require a different parser.  
> Clearly, the cryptographic routines can be common, but I do not think that 
> we will see ubiquitous implementation with this kind of diversity.

I agree. That is why Bill and I have specified the IPv4 protocol in a
way that is indistinguishable from the IPv6 protocol. We are trying to
merge the proposals. Paul keeps trying to prevent the merger of the
protocols which the rest of us keep trying to move forward. You have
stumbled upon one of the reasons that I'm upset with him.

Even if the implementations of the protocols end up being separate, as
Ran keeps pointing out, I feel that from an understandability point of
view its best to reduce the number of different entities floating
around. Thus far, Paul has been the only person to disagree.

As it stands, the documents that we've produced are nearly identical
to the v6 documents, and in fact we are trying to negotiate a merger
at some point.

On the question of why both AH and ESP versus simply ESP, the reason
is simple -- some applications need to reveal the underlying protocol,
and some need to conceal it. The two headers simply make it possible
to do each. Other than this difference, the mechanisms are
identical. As I noted, Steve Bellovin went into great detail as to why
we needed the AH mechanism to make filtering possible on firewalls,
and given that the v6 folks already had it it seemed like a very
useful and important mechanism to specify.

Perry



References: