On Wed, 21 Nov 2001, Michael Thomas wrote:
> > ...You start out saying "identity
> > protection should not be mandatory if it is expensive", which is at least
> > defensible. But then you switch to "since identity protection is known to
> > be expensive, it must not be mandatory", which is simply unfounded...
>
> I meant what was started out with.
Correct. Which is what I describe above: it claims to be a requirement,
but it's half requirement and half incorrect conclusions drawn from the
requirement. You need to fix it. All the statements (not just the first
one) about how it ought to be optional need to be qualified with "unless
it's cheap".
Making stuff optional is *not* a good thing, in general. Better to have
only one way to do things -- it simplifies analysis, implementation, and
testing. Alternatives should be present only if they are truly necessary.
IPsec in general, and IKE in particular, currently has a near-fatal case
of optionitis.
Requirements should state the results to be achieved, rather than trying
to dictate how they are achieved. "The protocol shall not include a
mandatory extra round trip solely for identity protection" is a
requirement. "Identity protection should be optional because it is too
expensive" is an attempt to dictate *how* that mandatory round trip is to
be avoided; IKEv2 demonstrates that there are better ways, which should
not be precluded by jumping to conclusions at requirements time.
> ...we still haven't mentioned the other part of my
> initial post which was about DoS protection which
> I lump in the same category: make it optional for
> when the exceptional conditions arise.
Unless it's cheap, in which case it should be not merely permitted and
encouraged, but mandatory.
Henry Spencer
henry@spsystems.net