[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

All this tweaking is nice, but...

To: ipsec@tis.com
Subject: All this tweaking is nice, but...
From: Dan.McDonald@Eng.sun.com (Dan McDonald)
Date: Wed, 19 Mar 1997 09:25:39 -0800 (PST)
Sender: owner-ipsec@ex.tis.com

Hello folks in IPsec-land!

I've been seeing a lot of last-minute tweaks lately on the list.  As someone
who Writes Code (TM), and as someone who's helped build some of the earliest
versions of IPsec, I just have one question:   WHY?

Most of the ones I've seen recently seem extraneous (we can argue until we're
blue in the face about if truncation is stronger, but the critical question
is if non-truncated is BROKEN?), and others are made for reasons that don't
take into account the big picture (code needed to parse variable-sized replay
counters is lost in the noise compared with the HMAC calculations, so don't
go whining about performance).

I'll bet small sums that some of what's been popping up on IPsec is the
result of some of the AIAG stuff.  It's good that stuff like AIAG happens,
but you guys can't forget that some of us aren't doing (or can't do) AIAG yet
for _varying_ reasons.

A few things to remember folks:

	1.) The IP Security Architecture is EXTENSIBLE.  This means if
	    something's really broke, you can obsolete the current draft
	    with a new one.  Apart from changes derived from Bellovin's
	    summer USENIX paper (some of which, mind you, merely involved
	    following the spec), I haven't seen anything after those changes
	    (Combined ESP, replay) that fixes honest-to-God BREAKAGE.
	    Let's go with what's there, and create NEW drafts for some of
	    these new approaches.

	2.) The KISS principle.  Yes, we can't leave gaping holes, but if
	    there are no gaping holes, let's not go changing for change's
	    sake!  I'd suggest to everyone on this list a re-reading of _The
	    Mythical Man-Month_ by Fred Brooks.  And if you've never read
	    this seminal work, for crying out loud find a copy.

	3.) Let's not create a separate implementors list the way IPng did.
	    I don't get AIAG-type mail, because I'm unable to show up for 
	    now.  I'm sure I'm not the only one, though.  Spec writers need
	    to hear about implementation experience, and implementors need to
	    hear the writers' rationale(s).

	4.) We're in the risk reduction business.  The only perfect security
	    is the good ole-fashioned airgap firewall, or something else that
	    keeps you from moving bits.  (If anyone calls your network
	    "truly secure" be afraid, be very afraid.)  If we reduce the
	    vulnerability, we're doing well.

Alright alright, I'll climb down off my soapbox now.

ObPlug:	My updated internet drafts are in the I-D queue currently.
	Watch for them.

--
Daniel L. McDonald  -  Solaris Internet Engineering  ||  MY OPINIONS ARE NOT
Mail: danmcd@eng.sun.com, danmcd@kebe.com <*>        ||  NOT NECESSARILY SUN'S!
Phone: (415) 786-6815            |"rising falling at force ten
WWW: http://www.kebe.com/~danmcd | we twist the world and ride the wind" - Rush

Prev by Date: Re: Closing out the COMPRESSION discussion
Next by Date: RE: Closing out the COMPRESSION discussion
Prev by thread: cisco's free ISAKMP reference implementation
Next by thread: RE: All this tweaking is nice, but...
Index(es):
- Main
- Thread