[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Two issues: AH death, and SA identification

To: Markku.Savela@iki.fi
Subject: Re: Two issues: AH death, and SA identification
From: Stephen Kent <kent@bbn.com>
Date: Tue, 3 Apr 2001 12:08:36 -0400
Cc: ipsec@lists.tislabs.com
In-Reply-To: <200103240829.KAA29352@burp>
References: <200103231810.NAA16783@bual.research.att.com><200103232043.WAA28685@burp> <p05010418b6e183a2588c@[128.33.4.39]><200103240829.KAA29352@burp>
Sender: owner-ipsec@lists.tislabs.com

At 10:29 AM +0200 3/24/01, Markku Savela wrote:
>  > >Why would you need a new protocol number if you changed this? "On the
>>  >wire" format for IPSEC AH and ESP packets would not change at all.
>>
>>  The protocol is more than the format of bits on the wire; it also
>>  encompasses the processing at seder and receiver. So, if these
>>  changes affect that processing, it's not the same protocol.
>
>When I say "on the wire format doesn't change", I also intended to
>include: a change in processing on one end doesn't affect the
>processing on the other end.
>
>The avoid further confusions, what is the proper term to express this
>condition? Just say "change is internal implementation issue"?

We have varying degrees of what constitutes a purely "local matter." 
if the change is not externally observable, then I think everyone 
agrees that it is not a standards issue. if the change is externally 
observable, it's in a gray area. Part of what I try to do in 2401 is 
to provide specs that allow a customer to be able to predict
if the change is externally observable and it affects how the other 
end of the connection or SA or whatever operates, then it clearly a 
standards matter.

>The processing of incoming SA and destination address is exactly such
>"internal implementation decision".  => My conclusion: no new protocol
>number for ESP/AH is required.

this falls into the gray area as different local processing re SA 
selection could have externally observable characteristics.

>HOWEVER, I did say that such change probably would change the IKE
>negotiations. But, that is a different protocol.

True, but the IPsec architecture encompasses multiple protocols, and 
may become more IKE dependant in the future, to better coordinate 
with IKE.

>The tunnel vs. transport mode is related issue. As coded, a "tunnel
>mode" is just "transport mode applied to IP tunnel" (even though, the
>tunnel wrap/unwrap is also done within IPSEC) . Again, using my above
>definition, this is "internal implementation issue".

As others have noted, this is definitely not a purely local matter.

Steve

Steve

Follow-Ups:

Re: Two issues: AH death, and SA identification

From: Derek Atkins <warlord@mit.edu>

Prev by Date: comment on draft-orman-public-key-lengths-02.txt
Next by Date: Re: Two issues: AH death, and SA identification
Prev by thread: I-D ACTION:draft-ietf-ipsec-ike-auth-ecdsa-02.txt
Next by thread: Re: Two issues: AH death, and SA identification
Index(es):
- Main
- Thread