[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: some issues about IPSec



Harald,

> You're talking about different tunnel-mode semantics than most people,

Maybe I was not sufficiently clear.  My message was intended to give
reasons why Transport Mode is needed, not about the relative merits of
the different tunneling schemes.  I think that trying to get a tunnel
to emulate the IP layer, in all its glory, is very hard.  But I think
that IPSec should serve all the communities that need real security
services, not just those wanting a VPN, or mobility, or ...

In addition, IPSec should not be so restrictive that it makes it
harder for the routing subsystem to evolve in ways that inevitably
will be needed to scale to a truly global Internet.  The number of
folk working in the area is so large today that I find it hard to keep
track of all that is happening.  Have you heard about the suggestions
to help the scaling and autoconfiguration problem by having routers
rewrite IP addresses as the packets pass by?  Consider what will
happen to end-to-end authentication then.  AH may turn out to be a
major denial of service attack.  (At the moment, ESP authentication,
either with or without confidentiality, could be used to get around
the problem, but I do not think that the infrastructure to decide when
AH will work and when ESP would be needed is there.)

Lots of things for us to consider in IPSecond.

Charlie


Follow-Ups: