[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE

To: Henry Spencer <henry@spsystems.net>
Subject: Re: Simplifying IKE
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Wed, 08 Aug 2001 19:07:07 +0200
cc: ipsec@lists.tislabs.com
In-reply-to: Your message of Wed, 08 Aug 2001 12:35:37 EDT. <Pine.BSI.3.91.1010808122553.14256B-100000@spsystems.net>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   I read your answer, and I fear I am no wiser.  You still haven't explained
   why dumping AH and transport mode would "reduce IPsec to VPNs"

=> assume that you have a IPsec implementation with AH, ESP, even IPCOMP,
transport and tunnel modes, a IKE you know how to configure (:-), ...
So the only application where you'd like to use ESP in tunnel mode
is VPNs, for end-to-end transport mode is easier/cheaper, if you need
authentication only AH is easier/cheaper and give more.

   because it is not clear what you mean by "VPNs"

=> protection (confidentiality first) of traffic between two points
with at least one of the two ends being a SG.

   or what your envisioned non-"VPN" applications for IPsec are

=> an example: protect a BGP session between two routers (authentication
is enough, network layer is mandatory because of fake TCP RSTs).

   (and why they can't be done with ESP tunnels). 

=> I didn't say that, everything can be done with ESP tunnels but
with more complexity and higher cost.

   >    ESP tunnels can do everything AH or transport mode can do,
   >    although sometimes at very slightly greater cost. 
   >    
   > => yes but as you have written there is a cost.

   Quite so, however my claim is that it is very seldom a significant cost.
   We commonly accept general-purpose mechanisms whose costs are slightly
   higher than necessary for any particular application, for the sake of
   generality and simplicity.  Numbers matter; a claim that the costs of
   simplification are unacceptable needs to be justified numerically. 

=> it seems you'd like to apply the market argument: the market is VPNs
so keep only the ESP in tunnel mode. I understand that but I don't like it.

   > PS: as a champion of the tunnel mode, can you help me in order to
   > have RFC 2401 5.1.2.1 footnote 3 (including its note) correctly
   > implemented.

   I'm certainly interested in helping: I don't immediately see what help
   you are asking for...

=> too many implementations check when they should not (I like to get
a MUST NOT here) the outer source address for ESP tunnels. The reason
seems to be security, if there is a real issue the RFC must be fixed
ASAP, if there is none the implementations must be fixed ASAP.
If we keep only ESP in tunnel mode I'd like to get it correctly
implemented...

Regards

Francis.Dupont@enst-bretagne.fr

Follow-Ups:

Re: Simplifying IKE

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

References:

Re: Simplifying IKE

From: Henry Spencer <henry@spsystems.net>

Prev by Date: RE: Simplifying IKE
Next by Date: Re: Matching ID with cetificate's subjectName and subjectAltName
Prev by thread: Re: Simplifying IKE
Next by thread: Re: Simplifying IKE
Index(es):
- Main
- Thread