[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE

To: sommerfeld@East.Sun.COM
Subject: Re: Simplifying IKE
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
Date: Thu, 09 Aug 2001 04:55:49 +0900
Cc: Francis Dupont <Francis.Dupont@enst-bretagne.fr>, Henry Spencer <henry@spsystems.net>, ipsec@lists.tislabs.com
In-reply-to: sommerfeld's message of Wed, 08 Aug 2001 14:35:42 -0400. <200108081835.f78IZhJ09105@thunk.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com


>AH or not-AH has nothing to do with VPN or end-to-end IPsec use.
>
>As Steve Bellovin has pointed out on numerous occasions, the IP header
>in transport-mode ESP can be "authenticated" merely by doing a compare
>of the source and destination addresses against static state in the
>SA...

	if you think about extension headers/IP options, IMHO the above
	statement is not correct.  AH is needed for a good reason.

	what bothering me in IPsec spec is that it includes tunnel mode.
	IPsec specification should only talk about transport mode, and tunnel
	mode should be "IPsec transport mode + some sort of tunnelling".
	there are a lot of (really, a lot of) tunnelling specifications around
	so you have no problem referring those.
	also, "bundle" should be dropped from RFC2401 as the concept of
	"bundle" conflicts with the way AH and ESP are defined - they are
	independent protocol, and can easily be handled/negotiated completely
	separately.

	btw - are we really going to simplify IPsec too, not just IKE?
	if not, we should stop talking about IPsec mods.

itojun

References:

Re: Simplifying IKE

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

Prev by Date: Re: Simplifying IKE
Next by Date: How to get ID: "PKIX profile for IKE" ?
Prev by thread: Re: Simplifying IKE
Next by thread: Re: Simplifying IKE
Index(es):
- Main
- Thread