[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Notify SPI field specifications

To: andrew.krywaniuk@alcatel.com
Subject: Re: Notify SPI field specifications
From: Dan Harkins <dharkins@lounge.org>
Date: Wed, 29 Aug 2001 10:30:41 -0700
Cc: ipsec@lists.tislabs.com
In-Reply-To: Your message of "Tue, 28 Aug 2001 19:50:19 BST." <002f01c12ff3$50d26a50$1e72788a@andrewk3.ca.newbridge.com>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 28 Aug 2001 19:50:19 BST you wrote
> 
> Merging the documents is not a magic wand you can wave in order to make the
> documents clearer; you actually have to write the text clearly and
> unambiguously.

I never said it was a magic wand. I said it would clean up just the sort
of confusion that started this thread: one document saying one thing and
another saying something different. If there is one document then that
problem doesn't happen.

> Perhaps the problem is that RFC2409 didn't need to be a generic key
> exchange. Isn't it possible that only one of the 3 documents is confusing?
> Criticizing your own document due to circumstances beyond your control seems
> like passing the buck.

No it didn't and no I don't think so. You may be able to explain the true
meaning of the Commit Bit by just reading RFC2408 but no one else can.
And I don't think anyone can justify the seemingly mandated covert channel
in RFC2408.

We have payloads being defined in one document and redefined in another.
We have overly generic descriptions of things simply because there is this
artificial layering of the documents. That will all go away.

> I keep hearing, without substantiation, that having a DOI has greatly
> complicated IKE. However, I have noticed that 4 other groups have exploited
> this feature to create keying protocols with much reduced effort, and all
> without any extra work by me.

The artificial layering has creatly complicated the key management protocol
for IPsec. It is completely unnecessary. The problem that the DOI adds is
not only one of added genericicity (the attempt to be vague enough to 
satisfy all sorts of possible key management protocols) but it encourages
people to overload one single port with all sorts of security protocols. 
That is A Bad Thing.

Which 4 keying protocols have been created with the DOI concept? KINK? No.
GDOI? Sort of but not really. OSPF DOI? That died. RIP DOI? That died too.

> > "I personally think it is very dangerous to organize
> >  referendums when you're not sure to win them"
> >    -- Louis Michel, President of the European Union
> 
> You can aways hold another referendum next year, and keep holding them once
> every few years until you win.

You of all people should not be making fun of someone's sig. I've left your
pompous one below for comparison.

> Andrew
> -------------------------------------------
> Upon closer inspection, I saw that the line
> dividing black from white was in fact a shade
> of grey. As I drew nearer still, the grey area
> grew larger. And then I was enlightened.

  Dan.

"I personally think it is very dangerous to organize
 referendums when you're not sure to win them"
   -- Louis Michel, President of the European Union

References:

RE: Notify SPI field specifications

From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: monitoring ipsec tunnels...
Next by Date: IPsec interoperability demonstration platform
Prev by thread: RE: Notify SPI field specifications
Next by thread: Stream Ciphers in ESP- IPsec Stack?
Index(es):
- Main
- Thread