[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Death to AH (was Re: SA identification)


>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes:
    Stephen> RFC 2401 states that compliant implementations MUST support AH in 
    Stephen> several places. This language is present because the WG strongly 
    Stephen> endorsed it. Fejj Schiller took a straw poll after Peter Ford (MS) 

  Yes, I understood the argument at the time, and I agreed with it.

  What I am trying to get at, is... when the VPN vendors say that they are
"compliant", what does that specifically mean. I.e. when marketing says "do
IPsec", on what basis does engineering translate this to. Does this mean
"RFC2401" (which wouldn't necessarily mean that you have had IKE, btw), etc.

  So, it then falls to the compliance testers to say,
      "IPsec = 2401...2409, plus some PKI subset"

  since there aren't any PKI requirements stated in that list, they have to
add those from the appropriate PKIX work, etc. 

  So, when VPN vendors say that they don't like AH for some set of reasons
and like to remove it, I ask the question: "who said you had to implement
it?"

  (Recall the joke with the patient who says "Doctor, it hurts when I do this!",
  Doctor says "Don't do that!")

  IPsec is a tool to implement many things, including VPNs, but VPN is
clearly the primary user at present. I would hate to have AH junked for all
end hosts because it didn't agree with the VPN subset.
  As a precedent, we have different router and end-system requirements at
present. I think that 2401 speaks to end systems requirements, not gateway
requirements. 

  It seems that the appropriate thing to do is to write a BCP on the "VPN"
problem, and then the VPN vendor's can claim compliance to *that* rather than 
to 2401.

  The full blown host systems (Sun, KAME, Win2k,...) are the ones that we
want to be 2401 compliant.   I haven't seen any of them argue strongly for
removing AH (or transport mode).

  The water will get even more muddy as IPSP and IPSRA work goes to PS. What
will "IPsec compliant" mean then?

    Stephen> but I am surprised by the form of your question. It seemed to suggest 
    Stephen> that a desire to claim compliance with the IETF standard for the 
    Stephen> IPsec architecture was not sufficient motivation, whereas compliance 
    Stephen> with industry test programs that are not aligned with IETF standards 
    Stephen> was a good motivation. if you really feel this way, perhaps you 
    Stephen> should focus more on contributing to ICSA and related efforts, vs. 
    Stephen> the IPsec WG :-).

  This issue is that the industry test programs are not handing out "IPsec"
conformance certificates, because 
	   1) it is a hard thing (i.e. $$$) to fully test
	   2) the end-customers don't really want all of of what "IPsec"
	   could be. They mostly want VPNs. 

] Train travel features AC outlets with no take-off restrictions|gigabit is no[
]   Michael Richardson, Solidum Systems   Oh where, oh where has|problem  with[
]     mcr@solidum.com   www.solidum.com   the little fishy gone?|PAX.port 1100[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [
Follow-Ups: References: