Re: notes from developer's portion of IETF meeting

[David Wagner <daw@cs.berkeley.edu>]

kent@bbn.com writes:
> The meeting minutes suggested that ESP must always be used with
> authentication, either intrinsic to ESP or via a separate AH, hence my
> concern and an example of why I felt such a requirement would be unduly
> restrictive.  Authentication costs more in packet processing time, and
> especially in space for the small packets that characterize compressed
> audio.

Now that I read this paragraph, I know how to phrase my objection
more clearly.

If packet voice folks are worried about the performance hit from
the extra couple of words of overhead for AH, they shouldn't be using
ipsec; they should be using some higher-level application-level
authentication, which lets them do all sorts of application-specific
optimizations (e.g. MACing entire kilobytes at a time).

(By the way, typically authentication should require significantly
less CPU time than encryption -- at least in my limited experience,
though I admit I haven't written any ipsec code in two years.)

We dare not carve a hole out of ipsec for each special-purpose group
who wants their own optimization.  The great value of ipsec is in its
robustness across the great diversity of internet applications.  An
authentication-less ESP detracts from ipsec robustness, and I think
that's bad for everyone.

All IMHO, of course. -- Dave

---

Follow-Ups:

• Re: notes from developer's portion of IETF meeting
• From: Jan Vilhuber <vilhuber@cisco.com>
• Re: notes from developer's portion of IETF meeting
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: Re: notes from developer's portion of IETF meeting
• Next by Date: Re: notes from developer's portion of IETF meeting
• Prev by thread: Re: notes from developer's portion of IETF meeting
• Next by thread: Re: notes from developer's portion of IETF meeting
• Index(es):
  • Main
  • Thread