[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE



Francis Dupont writes:
 > => but VPNs are the current market so if we remove everything not used
 > today only VPN stuff will remain. AH seems to be the first victim of
 > the "simplifying IKE" process and transport mode will be the second
 > (even if this has near nothing to do with the IKE issue and transport
 > mode is more primitive than tunnel mode: tunnel mode is used in VPNs
 > so it cannot be removed). IMHO this is just "remove everything we
 > don't like or don't use" but the net result can be a VPN only IPsec.

   This seems rather alarmist. I'm pretty
   convinced that most of the people who
   would like to see AH nuked aren't in favor
   of a VPN-only IPsec. In fact, I don't recall
   hearing anybody on this list make that suggestion.

 > => I disagree, the purpose of AH is the protection of payload
 > and headers (something ESP should not do because there already is AH)
 > and for a signaling protocol like MIPv6 AH is both simpler and cheaper]

    ESP-NULL shouldn't be any more expensive than AH.
    In fact, it should be cheaper since it just calls
    the hashing algorithm over a single block rather
    than having to deal with the bits and dregs
    that AH needs to omit.

 > to use. The trouble of IPsec with MIPv6 is more IKE (the thing we are
 > supposed to simplify): obviously to run IKE phases 1 & 2 in order
 > to protect BUs (sometime a single small packet) is overkilling

   That assumes you only care about BU's...

 >    but it seems like a pretty vivid example of how more
 >    options == more confusion of how they all work (or
 >    don't work as the case were).
 >    
 > => I disagree: AH for MIPv6 works, this is not deployable
 > (because of global PKI/authorization issue) and nor efficient
 > (as concrete tests have shown). And I believe we'll still see
 > IPsec and MIPv6 together in the future because IPsec only
 > provides a good security service in the network layer
 > (i.e. not everywhere but somewhere).

   ESP could work for BU's as well; I wrote a
   draft that describes how. I have yet to see
   something concrete that AH actually provides
   that ESP cannot.

   BTW: we don't need to burn a new protocol
   number for BU's to get it to work with
   IPsec: we could just make it a UDP packet.

	     Mike


References: