[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 Security Last Call Initial Questions

To: perry@imsi.com
Subject: Re: IPv6 Security Last Call Initial Questions
From: bound@zk3.dec.com
Date: Fri, 31 Mar 95 12:05:27 -0500
Cc: bound@zk3.dec.com, ipsec@ans.net
In-Reply-To: Your message of "Fri, 31 Mar 95 11:21:32 EST." <9503311621.AA21354@snark.imsi.com>

Perry,

Thanks....Excellent market input....

>These corporate WANs can, of course, be easily tapped. Right now, tye
>typical solution is link encryptors for exposed (i.e. off premises)
>legs of the communications networks, but in the long run real safety
>requires end to end solutions. In the long run, without end to end
>encryption of the ESP sort, these institutions are going to start
>facing frequent, er, losses, as a result of inadequate security. As
>soon as prototypes of this stuff arrive people like me are going to
>start putting enormous pressure on our vendors to supply it. Whether
>there is a "MUST" in the document or not isn't going to matter much to
>you in the medium term -- Wall Street buys workstations by the
>trainload.

Your last sentence is the key to what I have been arguing.  If Wall
Street is going to buy lots of workstations any vendor that does not
conform to IPSP will not gain profit in the market.  I have agreed long
ago to MUST implement IPSP and MAY USE in the market.

I would like to build an implementation that has the flexibility to
comply to customer and market requirements and not have to build
standards into a product that prohibit experimentation or create costs that 
will raise the cost of the product.  We can build IPSP and leave the 
algorithms to a list of SHOULDs which affords the vendors freedom in designing
our architecture of IPSP to respond to changes as they evolve.  There will 
be customers with varying security level requirements.  Each needing different
levels.  Thats all I asked and am asking for now.  Please lets not
prohibit anything unless its outright dumb.  Like saying the IPv6
security payload can have the fields in different places.  

As an individual I am against any type of regulation when it is not
necessary, and believe private enterprise will figure it out better.
In fact if you look at the back of my truck if you see me drive up to
the Tara at Danvers you will see a sticker on the back of my bumper that
says "I Vote for Less Government" (I am local at this meeting).  But
then again I think its a disgrace that every person in the U.S. does not
have health care.  Its like the notion of the astrological sign Libra.
We need to keep a balance.  I think ESP MUST IMPLEMENT DES tips the
scales too far against the vendors in our IETF community and is a form
of incorrect 'regulation" that is not justified or necessary technically 
or from a business perspective.

If we could get past this I and others would join you and others and go
build the best damn security for the Internet possible (I also hope the
Internet does not get regulated in the U.S. either).  Would that not be
a good thing to do?  Change MUST to SHOULD for DES.  I will even accept
MUST for MD5 for authentication as that has no export issue.

p.s. if you want one of those bumper stickers see Ross Callon.

/jim

Follow-Ups:

Re: IPv6 Security Last Call Initial Questions

From: Theodore Ts'o <tytso@MIT.EDU>

Prev by Date: Re: IPv6 Security Last Call Initial Questions (per user keying)
Next by Date: Re: Breaking 40-bit DES
Prev by thread: Re: IPv6 Security Last Call Initial Questions
Next by thread: Re: IPv6 Security Last Call Initial Questions
Index(es):
- Main
- Thread