Re: IPSEC document reading party!

[Gordon Oliver <gordo@telsur.cl>]

... Theodore Y. Ts'o said ...
>	Bob and I are very concerned that few people are actually
>reading all of the IPSEC drafts, and so there may be internal
>inconsistency and other problems across the various drafts, that perhaps
>won't be discovered until after they are published as RFC's.  That, as
>they say, would be Bad.

some comments on the documents and consistencies.
	- in the DOI document there is a reference to using ESP with a NULL
		encryption routine in order to do tunnelling. At least for AH
		it specifies that this should never happen in a real system
		(and probably should not for ESP either).
	- I am extremely uncomfortable with the idea that the Security
		Architecture document suggests that the entire database
		must be searched for matching SA's. This seems to make it
		impossible to specify policies s.t. each connection gets
		a private SA (or similar types of policies). It also makes
		the implementation slower and more painful.
	- There is very little said about ICMP handling, perhaps there should
		be something said about echoing confidential (i.e. ESP) data
		in an ICMP packet that does not have ESP.
	- There is nothing much said about what kinds of policies are allowed,
		and the associations between policies and bundles.

		-gordo

--
---------------------------------------------------------------
Gordon Oliver	(gordo@telsur.cl)	Independent Consultant
	... Available for consulting on Linux  ...

---

References:

• IPSEC document reading party!
• From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

---

• Prev by Date: IV generation
• Next by Date: Extended authentication with ISAKMP/Oakley draft
• Prev by thread: IPSEC document reading party!
• Next by thread: RE: IPSEC document reading party!
• Index(es):
  • Main
  • Thread