[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simplifying IKE
Francis Dupont writes:
> => but VPNs are the current market so if we remove everything not used
> today only VPN stuff will remain. AH seems to be the first victim of
> the "simplifying IKE" process and transport mode will be the second
> (even if this has near nothing to do with the IKE issue and transport
> mode is more primitive than tunnel mode: tunnel mode is used in VPNs
> so it cannot be removed). IMHO this is just "remove everything we
> don't like or don't use" but the net result can be a VPN only IPsec.
This seems rather alarmist. I'm pretty
convinced that most of the people who
would like to see AH nuked aren't in favor
of a VPN-only IPsec. In fact, I don't recall
hearing anybody on this list make that suggestion.
> => I disagree, the purpose of AH is the protection of payload
> and headers (something ESP should not do because there already is AH)
> and for a signaling protocol like MIPv6 AH is both simpler and cheaper]
ESP-NULL shouldn't be any more expensive than AH.
In fact, it should be cheaper since it just calls
the hashing algorithm over a single block rather
than having to deal with the bits and dregs
that AH needs to omit.
> to use. The trouble of IPsec with MIPv6 is more IKE (the thing we are
> supposed to simplify): obviously to run IKE phases 1 & 2 in order
> to protect BUs (sometime a single small packet) is overkilling
That assumes you only care about BU's...
> but it seems like a pretty vivid example of how more
> options == more confusion of how they all work (or
> don't work as the case were).
>
> => I disagree: AH for MIPv6 works, this is not deployable
> (because of global PKI/authorization issue) and nor efficient
> (as concrete tests have shown). And I believe we'll still see
> IPsec and MIPv6 together in the future because IPsec only
> provides a good security service in the network layer
> (i.e. not everywhere but somewhere).
ESP could work for BU's as well; I wrote a
draft that describes how. I have yet to see
something concrete that AH actually provides
that ESP cannot.
BTW: we don't need to burn a new protocol
number for BU's to get it to work with
IPsec: we could just make it a UDP packet.
Mike
References: