[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Two issues: AH death, and SA identification
At 10:29 AM +0200 3/24/01, Markku Savela wrote:
> > >Why would you need a new protocol number if you changed this? "On the
>> >wire" format for IPSEC AH and ESP packets would not change at all.
>>
>> The protocol is more than the format of bits on the wire; it also
>> encompasses the processing at seder and receiver. So, if these
>> changes affect that processing, it's not the same protocol.
>
>When I say "on the wire format doesn't change", I also intended to
>include: a change in processing on one end doesn't affect the
>processing on the other end.
>
>The avoid further confusions, what is the proper term to express this
>condition? Just say "change is internal implementation issue"?
We have varying degrees of what constitutes a purely "local matter."
if the change is not externally observable, then I think everyone
agrees that it is not a standards issue. if the change is externally
observable, it's in a gray area. Part of what I try to do in 2401 is
to provide specs that allow a customer to be able to predict
if the change is externally observable and it affects how the other
end of the connection or SA or whatever operates, then it clearly a
standards matter.
>The processing of incoming SA and destination address is exactly such
>"internal implementation decision". => My conclusion: no new protocol
>number for ESP/AH is required.
this falls into the gray area as different local processing re SA
selection could have externally observable characteristics.
>HOWEVER, I did say that such change probably would change the IKE
>negotiations. But, that is a different protocol.
True, but the IPsec architecture encompasses multiple protocols, and
may become more IKE dependant in the future, to better coordinate
with IKE.
>The tunnel vs. transport mode is related issue. As coded, a "tunnel
>mode" is just "transport mode applied to IP tunnel" (even though, the
>tunnel wrap/unwrap is also done within IPSEC) . Again, using my above
>definition, this is "internal implementation issue".
As others have noted, this is definitely not a purely local matter.
Steve
Steve
Follow-Ups: