[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remove private-use values from IKEv2

To: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: Remove private-use values from IKEv2
From: Dan Harkins <dharkins@tibernian.com>
Date: Thu, 14 Mar 2002 15:42:17 -0800
Cc: ipsec@lists.tislabs.com
In-Reply-To: Your message of "Thu, 14 Mar 2002 14:52:40 PST." <p05101415b8b6d8f1a45f@[165.227.249.20]>
Sender: owner-ipsec@lists.tislabs.com

On Thu, 14 Mar 2002 14:52:40 PST you wrote
> At 2:14 PM -0800 3/14/02, Dan Harkins wrote:
> >   New capabilities are things like a tunnel discovery protocol, a
> >policy download capability, and new techniques at authentication.
> >These do not fit nicely into the "replace this with that" model
> >you are suggesting.
> 
> Right: they can be done *in* the Vendor ID payload itself.

How can you do a tunnel discovery protocol *in* a vendor ID payload?

> >   Also the critical bit is useful even without private use numbers. It
> >is unreasonable to assume a nationwide flag day to upgrade everyone to
> >new bits that include use of a new payload with an IANA-assigned value.
> >Using the critical bit will allow existing implementations that do not
> >know about this new IANA-assigned payload to safely ignore it or properly
> >discard the message containing the unknown payload.
> 
> And that can be handled other ways as well, such as different numbers 
> for security-critical payloads. Allowing an implementation to decide 
> "I'm saying this is security-critical" instead of the IPsec WG 
> deciding whether or not it is security-critical is a bad design and 
> is sure to lead to interop problems.
> 
> >   Finally, interoperability problems using private use values is a
> >symptom of a problem. We should fix the problem, not the symptom.
> 
> Please say more!

The only reason to try to test interoperability of implementations using
private use values is because the thing they are doing with private use
values cannot be done in a standard fashion and that thing is important
enough that multi-vendor interoperability is important. 

But if it is that important then why don't we come up with a standard way
to do it? Politics is one. Bureaucracy and WG inertia is another (that
it takes longer for the WG to decide something than for huge companies
to go through two complete product cycles is sad).

If a solution to a problem that people are demanding a solution to is
either politically forbidden or only likely to to come out in 3-5 years
then vendors are going to bypass the process.

Taking away private use values because people are misusing them (how to
standardize something outside of the standardization process) will only
cause the workarounds they devise to be more novel and problematic. We
should fix the problem that is causing them to misuse the private use
values in the first place.

  Dan.

Follow-Ups:
- Re: Remove private-use values from IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

References:
- Re: Remove private-use values from IKEv2
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: RE: Remove private-use values from IKEv2
Next by Date: Re: Remove SHOULD for elliptic curve groups in IKEv2
Prev by thread: Re: Remove private-use values from IKEv2
Next by thread: Re: Remove private-use values from IKEv2
Index(es):
- Date
- Thread