Re: IPsec Architecture -- proposed changes

["Theodore Y. Ts'o" <tytso@MIT.EDU>]

There are certain parts of this discussion from both Ran and Steve which
don't make complete sense to me.

Ran: The text you are referring to is section 5.4 of RFC 1825, right?
Quite frankly, the text doesn't say much.  It says that AH authenticates
explicit labels, and you can have implicit labels associated with
SA's/SPI's.  It says that you should different encryption keys for
different comparments/security levels.  All of this seems pretty common
sense to me.

Would MLS implementations really be hurt if the MLS text was moved into
a full MLS spec which would be fleshed out in a new working group (the
proposed IPSECond wg, for example)?


Steve: I don't understand your remark that the MLS-related text is
"spread throughout the old text".  It seemed to me it was localized to
section 5.4 of RFC 1825.  Granted that there's probably more --- perhaps
a lot more --- one could say about MLS and IPSEC than was said in RFC
1825, what problems do you forsee with simply including section 5.4 with
minimal changes into the security architecture document?


As should be pretty obvious from my questions to both Ran and Steve, I
don't particularly care exactly how we resolve the MLS issue, but I (and
presumably the whole working group) *would* like for it to be resolved,
one way or the other.

							- Ted

---

References:

• Re: IPsec Architecture -- proposed changes
• From: Stephen Kent <kent@bbn.com>

---

• Prev by Date: Re: IPsec -- SPI ranges
• Next by Date: Re: IPsec Architecture -- proposed changes
• Prev by thread: Re: IPsec Architecture -- proposed changes
• Next by thread: RE: IPsec Architecture -- proposed changes
• Index(es):
  • Main
  • Thread