[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ESP revisions straw poll
I've been very puzzled by the opposition to auth-only ESP, so much so that
I went back and reviewed messages from August 1995, in which I had tried
to suggest it, and in which I thought there had been rough consensus that
it was a good idea. Disappointingly, I now see that I was overly subtle,
and the concept was confused with tunneling AH. But for the volume of
IPSO argument at the time, I would have continued arguing for it back then.
Auth-only ESP seems to be completely consistent with the design goals
of the working group; note that encryption is entirely up to the
sender in any case, so Steve Kent's suggestion that it MAY be done
seems completely reasonable. Seriously, how can a group that bought
into AH view an accommodation for auth-only as more than a triviality
in terms of implementation?
If belief has any merit in this discussion, and I note that more and more
responses seem to be appealing to subjectivity, I believe that the market
will ultimately choose to use ESP and ignore AH, and I further believe that
this will be a good thing.
In full honesty, I was concerned about the comment that suggested key
negotiation would be more difficult with auth-only ESP, and I was hoping
that someone with a little spare time could check on whether or not this
is true; key negotiation requires confidentiality for some part of the
exchange, and if there is a possibility of specifying an algorithm that
was in the confidentiality class but didn't really provide the service,
this would be Very Bad.
A further belief, don't worry about IPSEC, it has been astoundingly
resilient to the ravages of eternal argument. Though sometimes I worry
...
IPSEC is a protocol
As dead as dead can be
First it killed a working group
And now its killing me
Hilarie