[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSEC Minutes
>Son of Ike / Immediate Changes to Ike
>=====================================
>
>Ted Ts'o made some opening comments to frame the discussion. Marcus,
>Jeff, and Steve's note to the list was a restatement of the position
>they set a year or so ago. The two things that require near term changes
>to IKE are SCTP compatibility and NAT/Firewall traversal. There haven't
>been many changes to the SCTP draft and Barbara and Ted will be talking
>to the editors after the meeting to see how we can move the document
>forward. NAT/firewall traversal drafts now exist that harmonize the
>previous drafts. The only problem remaining is AH. The AH part in
>encapsulation draft is incorrect. Question is do we need AH? About a
>dozen folks are implementing. Only one person in the room supported
>including AH, all others were against including AH. This topic will be
>taken to the list to allow for comment and within 3 weeks we should be
>able to go to wg last call.
I was not in the meeting room because of conflicting meeting. sorry.
Not sure why "kill AH" is a part of son-of-IKE discussion. we do use
AH (*) and would like to be able to negotiate AH.
(*) specifically mobile-ip6. as you notice there are fair amount
of discussions, but my guess is that AH will be used at the end -
any changes to authentication mechanism does not help the lack of
certificate infrastructure, therefore, the choice of authentication
mechanism does not really matter. I believe it was incorrect to blame
AH for mobile-ip6 "lack of cert infrastructure" issue.
itojun
References: