Re: IPv6 Security Last Call Initial Questions

[bound@zk3.dec.com]

Ted,

>>I also have seen a grass roots movement....

>I still remain unconvinced whether it's "grass roots", or "astroturf". :-) 

Now be nice remember that flame mail you accused me and others of?

Its real Ted and I also presented my ideas to Paul Lambert tonight and
no one or me is saying that strategically in the IETF we should not
specify confidentiality security.  We must do this to have a secure 
Internet.  The question on the table is how do we do this tactically?  

>I've always been amused when vendors try to make the case that their
>concerns, as opposed to their custmers, should be considered "grass roots".

I would like an apology as you have just accused me of not understanding
my customers concerns in a public forum.  Please apologize.  
You cannot make these kind of suggestive accusations its counter-productive 
and defamation to my character as an IETF individual and as an employee of 
my company.  You are out of line above and we do not need that kind of
mail on such an important topic in this mailing list.

Grass roots above means that many in the community have expressed that
my explanation and discovery process of the issues are in fact worth
thinking about.  I am championing this 'thought process' and I have done
it in other standards forums, in a large corporation, and I know how to
bring an issue to the table for discussion even when it may be getting
slammed dunked by a group of activists.  Yes I am doing this not for
Digital, not for Sun, not for XYZ, but because I believe the entire
discussion has not taken place and is not done.  It also needs wider
community discussion in the IETF not just in this working group.

But being experienced in such a process I realize some will attack me
and even go to the extreme of offending me.  Until this is over if this
happens too much an individual may find themselves sitting in a court room
explaining to a judge why they felt they had the right to defame or
abuse the rights of Jim Bound as an individual in a public forum.  And I
have a set of family and many friends connected to the legal profession
who will do this for me for free for the right reasons.  So please don't
push it if your in the U.S. anywhere.  I will note that my colleagues in
99% of the cases in Europe and Pacrim have not done anything like this
and we ought to wonder about that in the U.S. and consider why they are
able to keep this professional at all times via email.

I am representing me Jim Bound.  But I also think my position benefits 
the many customers I do know and many vendors I know as colleagues in
the IETF who are also present as individuals.  

I want to be able to build both AUTH and ESP for the market as an
engineer as part of IPv6 and for the Internet in general.  But I also 
want my work to be IPv6 conformant world wide and this will turn me on
as an engineer to know that the IPv6 stack and environment I will build
will be used in the U.S.A., Russia, Singapore, Switzerland, or Brazil.
This means my "code" and the someday product will help the Internet be
better because of IPv6 and the added Security for the Internet.

To do this in the most expedient fashion would be to REQUIRE AUTH which
will give all IPv6 users integrity out of the box.  And then specify
that if a user wants confidentiality STD XXX MUST be used.  The reason
we have to do this in such a manner is because the reality is that none
of 'the' vendors can build a conforming IPv6 implmentation that will meet
the export/import restrictions within some countries in the Americas, Europe, 
and Asia.  Let the consumer determine and specify that encryption is a must do 
in the product not the IETF as a thought to this working group and a
discussion point OK.

The IETF will have done its job with the above.

>One additional comment concerning this whole export nonsense.  Keep in

Its not nonsense its reality Ted.  I think laws against any firearms or
many vices are nonsense too, but I have to abide by them whether I like
them or not, so I abide by them and vote at every opportunity I get and
influence change wherever I can.  But at the end of the day in a court
I can't break the law no matter how silly it is in my view of the world
and not get punished.  So I be cool and hope for change.

Also the law in many international countries is that you cannot 
export/import encryption either its not just a U.S.A. issue.

>mind that if we make it optional, we will have to live with the
>resulting lack of interoperability and lack of security for decades.

No the scenario above will work.  And authentication is available as I
stated out of the box.  And if we state the ESP standard well enough and
implement the work in this working group and get it as a STD the market
will require it and the vendors and the market will work out how to make
it happen.  We in the IETF will have done our job.

>There are rumors that at least within the United States, the rules for
>DES may be significantly eased in the next year.  (Specifically, that
>products with DES might in the fuuture automatically have Commerce
>Jurisdiction.)  I, personally, will be very, very surprised if the
>U.S. export regulations do not get significantly reformed in the next
>3-5 years.  

The IETF work and International community cannot do business and we should
not determine our tactical strategy for encrption based on rumors. But
if the laws change then we can update our standards. 

>It would be extremely ironic if we made a decision which had negative
>impacts for decades, especially if the country-specific, legal excuses
>for doing this vanish shortly after we make said decision.

But today we do have a legal problem.  And by specifying it now in the
standards will cause an implementation conformance problem.  If we give
the market the standard to require for IPv6 to have interoperable
implementations with confidentiality then as a standards organization we
have done our job.  Customers simply write their  RFP in this manner:

Network Section:

1.  Client and Server end systems MUST conform to IETF IPv6 Base
Protocol Specification, System Discovery, DNSINDv6, DHCPv6, ICMPv6, etc.
etc.. etc.. and Security (AUTHENTICATION).

2.  Client and Server end systems MUST conform to the IETF IPv6
Confidentiality RFC ####.

Done.  Everything you stated you want and others is accomplished.

>P.S.  There do exist countries for which crypto export is not an issue.
>DEC could simply set up a programming shop there, thus draining more
>jobs from the United States.  If enough of this happens, maybe the
>U.S. will reconsider its current irrational laws even faster than what I
>expect.

Please do not just pick on Digital (and fyi its not DEC please) my
position would be the same as a small business person building
customized host server kernels for embedded systems.  I have already
on the IPng Directorate taken positions that were completely
contrary to my companies best interest when it was in the interest of
the Internet community to proceed correctly technically.  I have done this 
often in the IPv6 WG too.  Anyone in the IETF who 'really' knows me for the
past two years have even seen me and my colleagues who also work for
Digtial fight for different technical positions on technology matters.  
So this does not apply to me - Jim Bound.  

Its not called a programming shop it would be called an engineering
porting center most likely.  

Also what will change the laws is not this but real political pressure
and here is how it could proceed for the U.S. and with minor tweeks
other countries that have a democracy of some form:

  1.  Vendor pressure through their lobbyists.
  2.  Small firms can contact the Small Business Associations
      and their congressman and senators.
  3.  The IETF ISOC relationship needs to take this on as a job and 
      connect with ISO, IEEE, and JTC1 to push back on the FTC.
  4.  Use the G7 Summits to put pressure on the U.S. and all countries
      that have export/import restrictions on computer cryptography.

      * also right now is a good time because of the present congress *

The ECMA via the IETF connecting with them can affect the European
issues with G7 too.

All of us as individuals calling or writing to our congressman and
senators that this is bogus.  I have done this already back when IPv6
was an issue between SIPP, CATNIP, and TUBA and we saw the IPv6
encryption coming on the IPng Directorate in a letter where I was
complaining about a bunch of stuff per firearms.  I will do it again
just for this export issue this weekend.  I suggest all in the U.S. who 
really care write letters too.

At the end of the day I will support what the IETF community decides to
any who confide in me or think my consultation in fact is important that
all must do what the IETF has decided including MUST ESP DES if we can't
fix that wording.  I have no clue what will happen per the export issue
other than I think some kind of wording will be invented to ship
products abroad by most vendors I am sure.  In fact by not leaving it to
the consumer could cause the objective to not happen because its
assumed and not stated.  Similar in result to the prohibition era in the
U.S. in the 1920s (aka the roaring 20s).

/jim

---

Follow-Ups:

• Re: IPv6 Security Last Call Initial Questions
• From: "Marcus J. Ranum" <mjr@tis.com>

---

• Prev by Date: Re: fast re-keying
• Next by Date: Re: IPv6 Security Last Call Initial Questions
• Prev by thread: Re: IPv6 Security Last Call Initial Questions
• Next by thread: Re: IPv6 Security Last Call Initial Questions
• Index(es):
  • Main
  • Thread