[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Items for new charter

To: ipsec@tis.com, "'Robert Moskowitz'" <rgm-sec@htt-consult.com>
Subject: RE: Items for new charter
From: "Davis, Terry L" <Terry.Davis@PSS.Boeing.com>
Date: Thu, 28 May 1998 12:53:44 -0700
Sender: owner-ipsec@ex.tis.com

Robert

Your note covers some of the issues I want to mention but I don't think
restating them hurts.  As you know, I tend to focus on operational use
issues and concerns so I'll toss out a few issues to consider not
necessarily as part of IPSEC II protocols but as the background that it
will need to live in and support.  As you begin to design IPSEC II
perhaps consider:

1) Scaling to handle GigaPoPs with individual IPSEC connections/tunnels
running near a gigabit and total flows through the PoP into the 10's of
gigabits.

2) Scaling to handle 10's of thousands of active IPSEC
connections/streams.

3) Methods to allow authentication of individual connections/streams to
enter or leave an IPSEC tunnel.

4) Methods to allow connection flexibility for both security and
provisioning (negotiation?); QOS, bandwidth of the tunnel,
authentication type, etc.

5) Methods to tag/mark connections to allow a stream/connection/flow to
be recognized as already authenticated/permitted/routed rather than
individual packet inspection.

6) Debugging concepts and management techniques to insure IPSEC II
supportability by the operators in a global environment; MIB's, tunnel
wraparound, etc.

IPSEC II will almost certainly be the one of the first security
protocols for the 21st century, we should treat it as such, even in
these early design phases, to insure it scales to support a global
Internet.

Take care,

Terry L. Davis, P.E.
Boeing

> ----------
> From: 	Robert Moskowitz[SMTP:rgm-sec@htt-consult.com]
> Sent: 	Friday, May 22, 1998 12:21 PM
> To: 	ipsec@tis.com
> Subject: 	Items for new charter
> 
> Yes, i know that the current IDs are just dragging along.  getting the
> 'last' nits in so they can get published. Ted is doing a good job of
> bird-dogging that effort, and it is past time to write the new
> charter.
> 
> To this end, I have put together a list of items that looks reasonable
> to
> tackle.
> 
> I want people to review them, and comment/subtract/add.  then I will
> rough
> out a new charter for the group.
> 
> 	 1) fix broken but usable
> 	 
> 	 Tero's issue with IKE.
> 	 Rekeying (well not so much as broke, but do we have the
> heuristic 
> 		right?)
> 	 
> 	 2) desperately needed functionality
> 	 
> 	 Host bootstrap (config)
> 	 Extended Authentication
> 	 Policy/tunnel endpoint discovery
> 	 Attribute Certs? KX records?  ICMP messages?
> 		Something else?
> 	 ICMP messages (TTL exceeded, port/host unreachable, admin
> 	 denied, ipsec-specific).
>  
> 	 3) wise things to do
> 	 
> 	 PMTU (Path MTU) for tunnels
> 	 Standardized error codes
> 	 MIBs
> 	 HMAC-RIPEM (EU wants THEIR standards included, reasonably
> enough)
> 	 
> 	 4) nice touches.
> 	 
> 	 MAC-DES
> 	 Other encryption algorithms
> 	 Other key exchange protocols
> 	 Simple and advanced crypto API
> 	 Dynamic discovery of complex ipsec topologies.
> 
> 
> 
> Robert Moskowitz
> ICSA
> Security Interest EMail: rgm-sec@htt-consult.com
>

Prev by Date: Re: IPCOMP and IPSEC
Next by Date: Re: IPCOMP and IPSEC
Prev by thread: Re: Items for new charter
Next by thread: Thomas Narten's DISCUSS vote
Index(es):
- Main
- Thread