[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bruce Schneier on IPsec
Henry Spencer wrote:
>
> And where, exactly, are these written up in a form intelligible to non-WG
> observers? In a fairly strong sense, it does not *MATTER* whether the WG
> has discussed them, if that discussion, its reasoning, and its conclusions
> are not openly and readably documented. For some protocols, a "trust us,
> this is right" approach is at least defensible; for security protocols, it
> isn't.
>
Archives of this very mailing list, for one, and the published proceedings of
IETF meetings. Granted, that doesn't quite fit the bill of being completely
understandable to the unwashed, but given the process, it's about as good
as you're going to get.
Raise your hand if you want to volunteer to write up the minutes of
IPSEC meetings in a form suitable for non-participants. Hmmm, stunning
silence...
>
> I wouldn't be surprised; in fact, the authors admit as much in some
> places. But whose fault is that? The IPSEC spec is better than it used
> to be, but it's still pretty bad. Most notably, as F&S observe, it is
> glaringly deficient precisely in explaining *why* it does things the way
> it does. Again, this is a situation which might be tolerable in some
> contexts but is unacceptable in the Internet's central security protocol.
>
I have to agree with this. The IKE/DOI/ISAKMP documentation, in particular,
is quite hard to follow--even for someone who's been involved from the
beginning. The more-or-less continuous stream of "how do I interpret this
section of the IKE documents" questions on this mailing list should be a
good indicator of how confusing and unclear those documents are.
--
----------------------------------------------------------------------
Marcus Leech Mail: Dept 8M70, MS 012, FITZ
Systems Security Architect Phone: (ESN) 393-9145 +1 613 763 9145
Security and Internet Solutions Fax: (ESN) 395-1407 +1 613 765 1407
Nortel Networks mleech@nortelnetworks.com
-----------------Expressed opinions are my own, not my employer's------
Follow-Ups:
References: