[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DRAFT: ipsec charter update

To: "Horn, Mike" <mhorn@virtela.net>
Subject: Re: DRAFT: ipsec charter update
From: Theodore Tso <tytso@mit.edu>
Date: Fri, 10 Aug 2001 06:24:53 -0400
Cc: "'tytso@mit.edu'" <tytso@mit.edu>, ipsec@lists.tislabs.com
In-Reply-To: <CCFF88268143CC4181A758DCC0ECDC13DE7781@posthaus.virtela.cc>; from mhorn@virtela.net on Thu, Aug 09, 2001 at 10:31:16PM -0600
References: <CCFF88268143CC4181A758DCC0ECDC13DE7781@posthaus.virtela.cc>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mutt/1.3.15i

On Thu, Aug 09, 2001 at 10:31:16PM -0600, Horn, Mike wrote:
> I think this is definitely a step in the right direction, but it seems in
> direct conflict with the position statement that was just sent out by Marcus
> Leech.  Does this have approval from the IESG and IAB?  Also, how does this
> fit in with the work going on to simplify IKE?  Are things like removing AH,
> aggresive mode, etc. still open for discussion?  Again, it's great to see
> the working group moving forward to provide standardized solutions for known
> problems.

There's a certain amount of misunderstanding about the the position
statement which Marcus, Jeff, and Steve put together.  Marcus and
Steve (Jeff couldn't make it to London) clarified this at the IPSEC wg
meeting on Monday.  First of all, IKE is *not* broken, and we're not
abandoning development on IKE (as Network World reported in screaming
front-page headlines).

Secondly, the note was only giving a rationale for the same moratorium
has been place for the last year.  So things like the NAT/FW
traversal, SCTP, etc. were never under the moratorium in the first
place.

Barbara and I did consult with Marcus before we drafted the charter,
and the only one thing on the proposed charter which might be
considered new with respect to the moratorium was the rekeying issue,
and presumably this is the one thing which might be in danger of being
turned down by the IESG/IAB when they consider our proposed new
charter.  The rekeying clarification was added because there was a
number of people who strongly asked for this at the IPSEC meeting.
It's not really *changing* IKE, as much as we are specifying a
behaviour where the current standards are completely silent.

Personally, I think the odds are 50-50 that the question of getting
IESG/IAB permission is moot, since we tried to standardize rekeying
about a year ago, and the problem was that roughly 50% of the deployed
implementations were doing it one way, and the other 50% were doing it
the other way, and no one seemed willing to change their
implementations.  So I'm not sanguine about why we will be successful
now when we weren't successful a year ago, but if people want to give
it a try, I certainly would be very pleased to be proven wrong.

(And as I understand things the current non-standardization doesn't
mean that things are *completely* broken, just that interoperability
with respect to rekeying is just very, very hard.)

							- Ted

References:

RE: DRAFT: ipsec charter update

From: "Horn, Mike" <mhorn@virtela.net>

Prev by Date: Re: DRAFT: ipsec charter update
Next by Date: Re: DRAFT: ipsec charter update
Prev by thread: RE: DRAFT: ipsec charter update
Next by thread: Re: DRAFT: ipsec charter update
Index(es):
- Main
- Thread