[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Bruce Schneier on IPsec

To: kent@bbn.com
Subject: RE: Bruce Schneier on IPsec
From: "Waters, Stephen" <Stephen.Waters@cabletron.com>
Date: Fri, 28 Jan 2000 01:58:58 -0000
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

Some comments Steve:

1) Compression. Van Jacobson-style compression could be used on TCP/IP (and
other prots now), and is far more efficient that LZS would be on these
headers.  Perhaps the IPCOMP header need to allow of a marker to tell the
receiver that Van-J has been used, and this should be added to the IPCOMP
negotiation in IKE?

2) Tunnel v Transport.  In the mood of simplification, there may be a
counter arguement to drop 'tunnel-mode' and keep just transport!  In the
same way that L2TP tunnel traffic is transport-mode protected,  IPIP tunnel
traffic can be transport-mode protected. This separates IPSEC from
'tunneling' altogether - a good idea in my mind, since IPIP tunnels have a
use in their own right.  I know this presents a different model, but it is
the one we use for LAN-LAN tunnels (L2TP and IPIP) for simplicity.  It
allows tunnel details (like the fun with MTU) to be left out of the IPSEC
specs - apart from mentioning security aspects.  Transport-mode protection
of IPIP tunnel packets = 'IPSEC Tunnel Mode'.

3) Using AH makes NAT (and Tos mapping) a little difficult. Perhaps 'RSIP'
will help here. If not for the NAT issues, I think IPIP tunnel traffic
should be protected with AH+ESP transport mode. With NAT as a problem, just
ESP transport mode.

4) Fragmentation - leave this issue to IPIP tunnel specification.
IPSEC-overhead calculation and be included the MTU maths via a 'system
service' call, but not 
needed as part of the IPSEC spec.

Regards, Steve
 

-----Original Message-----
From: Steve Kent [mailto:kent@bbn.com]
Sent: Friday, January 21, 2000 1:55 PM
To: ipsec@lists.tislabs.com
Subject: Re: Bruce Schneier on IPsec


Folks,

Since there has been so much mail recently re Bruce's comments, I
thought it appropriate to post my annotated comments on the evaluation. 
I apologize to Bruce, in advance, for not supplying these to him
privately first.  He kindly sent a copy of his analysis a while ago, but
I was able to find time to review it only recently.  I was planning to
send him this document, but I feel that it is appropriate to reply to
the list now, given the growing volume of comments. The attached
document is in MS Word, because I use the change control features to
make the annotations.  An ASCII version can be made available later, if
necessary.

Steve

Follow-Ups:

RE: Bruce Schneier on IPsec

From: Stephen Kent <kent@bbn.com>

Prev by Date: RE: issues raised at VPN interoperability workshop
Next by Date: Re: Simultaneous connection attempts
Prev by thread: Re: Bruce Schneier on IPsec
Next by thread: RE: Bruce Schneier on IPsec
Index(es):
- Main
- Thread