[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt

To: "Mason, David" <David_Mason@nai.com>, <ipsec@lists.tislabs.com>
Subject: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
From: "Brian Swander" <briansw@windows.microsoft.com>
Date: Tue, 10 Jul 2001 09:06:28 -0700
Sender: owner-ipsec@lists.tislabs.com
Thread-Index: AcEJUX0Nf2zYvShHSrS+RjzoAGXA5AAB+GPw
Thread-Topic: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt

I can field a couple of the below:

The 5 minute interval of keep-alives (keep-alives still sent every 20
(or X) seconds) after all SAs are down is to allow for the case for the
peer external to the NAT to potentially decide that it needs to rekey
the MM, and still have the NAT hole poked so that the IKE traffic could
traverse the NAT and reach the internal machine.  This is a tradeoff
between maintaining lots of state and sending keep-alives vs.
potentially breaking upper layer connections.

As for the AH specification, we put it in for completeness because we
didn't want to open the draft up to the criticism of ignoring AH.  I
cannot speak for the rest of the authors, but I'd be surprised if anyone
is very interested in supporting AH.  Also, I don't think there would be
much resistance to removing the specification of AH, if we reach that
consensus.

bs

-----Original Message-----
From: Mason, David [mailto:David_Mason@nai.com] 
Sent: Tuesday, July 10, 2001 7:22 AM
To: ipsec@lists.tislabs.com
Subject: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt

What is the purpose/motivation behind the AH Envelope?  It seems like
needless overhead to me.

What is the purpose/motivation of the long period (default 5 minutes)
keepalive mentioned in the second paragraph of section 4?

Why bother providing even a MAY for support of AH?  Only support for
IPv4 AH
is specified, in which case ESPNULL provides practically the same
protection
(yes AH protects 3 historic security options, the router alert option
which
is noted to be incompatible with IPsec, and the multi-destination
delivery
option but how often are these options actually used?).  In the past
people
have been jumping up and down about IKE/IPsec already being too complex.
I
think this is a case where added complexity provides very little
benefit.

Just for the fun of causing trouble and stoking fires:  I noticed that
the
NAT-traversal drafts were published under the auspices of the WG instead
of
as individual submissions.  I thought there was an edict that the WG
would
not support changes to IKE/IPsec.  Has the edict been dropped, or is it
a
wish-washy edict, or are IDs with lots of authors from powerful
companies
exempt?
 
-dave

Prev by Date: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Next by Date: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Prev by thread: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Next by thread: RE: I-D ACTION:draft-ietf-ipsec-udp-encaps-00.txt
Index(es):
- Main
- Thread