[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Concerns

To: 'IPSEC' <ipsec@TIS.COM>
Subject: RE: Concerns
From: Roy Pereira <rpereira@timestep.com>
Date: Wed, 18 Sep 1996 14:21:38 -0400
Organization: TimeStep Corporation
Sender: ipsec-approval@neptune.tis.com


>> This is not what I saw.  I saw only a handful voting for SKIP, a few
>> more for ISAKMP/Oakley, and the vast majority with their hands down.

>This is remarkable, since there wasn't a vote on SKIP vs. ISAKMP
>at the Montreal meeting.

A quick way to solve this small (and irrelevant) discussion is to have an   
online vote by having everyone email one person with an answer to the   
following question:

  Pick one:

   a) SKIP
   b) ISAKMP/OAKLEY
   c) Don't care



Subject:  Re: IPsec Minutes from Montreal
To: ipsec@TIS.COM
Date: Wed, 18 Sep 1996 11:33:52 -0700 (PDT)
X-Mailer: ELM [version 2.4 PL24 PGP5]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
From: ipsec-approval@neptune.tis.com
Message-ID:  <9609181440.aa23915@neptune.TIS.COM>


Paul,

The revised minutes still do not describe the presentations and
followup discussions which took place at the Montreal meeting.  Rather,
they appear to draw on recent discussions on the ipsec mailing list to
introduce an anti-SKIP bias.

> The second mode uses ephemeral Diffie-Hellman,
> with certificates, in a 2-6 message exchange depending on how much state
> already exists in the end nodes (specifically: 2 messages for Certificate
> Discovery Protocol, 2 messages for Algorithm Discovery Protocol, plus 2
> messages for PFS before the first data packet can be sent)

This is editorializing.

If you insist on counting one-time messages, then the next time someone
says that an SNMP trap is a one message protocol, please be sure to
point out that it's actually a 5 message protocol, "depending on how
much state already exists in the end nodes":  1 for the trap, 2 for the
DNS lookup, and 2 for the ARP request-response.

> (though SKIP's PFS is different from others in that it does not
> provide PFS for identities),

This is more editorializing.

PFS and anonymity are orthogonal issues.  A protocol may provide PFS
with no anonymity, or anonymity with no PFS.  This also ignores the
issue that SKIP PFS provides anonymity protection against man-in-the-
middle attacks.  This is a tradeoff which you are ignoring in your
slanted commentary.

> and has significant per-message overhead.

This is more anti-SKIP editorializing.

There has been substantial discussion on the mailing list regarding
protocol overhead.  Simply taking the opinion of the anti-SKIP camp and
passing this off as "minutes" reeks of unfairness.

Other have told us in private that they were amazed at the anti-SKIP
bias in the meeting minutes.  Some of these comments even came from
ISAKMP/Oakley advocates.

> (though the
> SKIP multicast proposal explicitly does not specify how the group owner is
> determined nor how knowledge of the group owner's identity is communicated
> scalably and authentically to the members of the group nor how the group key
> is created).

We welcome any criticism you might have on our multicast draft.  If
there are points which can be made more clear, we'll be happy to do
this.  But the meeting minutes is not an appropriate forum for
editorializing by the chairs.

> [ISAKMP] is available via MIT server.

Again, we also have free software which is available and the URL was
mentioned at the meeting.

It is too much to ask that the minutes accurately and fairly record
what took place at the meeting?

--tom

Prev by Date: Re: Concerns
Next by Date: RE: Concerns
Prev by thread: Re: Concerns
Next by thread: RE: Concerns
Index(es):
- Main
- Thread