[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Move TS to optional (RE: Don't remove TS from IKEv2)

To: "Rajesh Mohan" <rajesh.mohan@nexsi.com>
Subject: RE: Move TS to optional (RE: Don't remove TS from IKEv2)
From: Stephen Kent <kent@bbn.com>
Date: Mon, 25 Mar 2002 13:22:46 -0500
Cc: "IP Security List" <ipsec@lists.tislabs.com>
In-Reply-To: <OLEPJEJDFKFHHJDEPBBKCEAECCAA.rajesh.mohan@nexsi.com>
References: <OLEPJEJDFKFHHJDEPBBKCEAECCAA.rajesh.mohan@nexsi.com>
Sender: owner-ipsec@lists.tislabs.com

At 6:01 PM -0800 3/22/02, Rajesh Mohan wrote:
>  >
>>  Any optional feature is one more decision that can be made differently by
>>  different implementors, breaking interoperability.  Not a good idea.
>>
>>  Moreover, that *doesn't* simplify the protocol.  Indeed, it
>>  complicates it,
>>  because now all analysis must consider two different cases (TS and no-TS).
>>
>
>I do not agree that no-TS feature will break interoperability. It really
>depends on how we define interoperability. When two gateways negotiate to
>not use TS, then the two gateways are said to interoperate as long as they
>establish an SA and are able to decrypt a packet that is encrypted. *** They
>have chosen to use a policy enforcer outside IPSec ***. So, traffic not
>flowing because of misconfigured policy enforcer should not concern this
>group.
>
>We do not need no-TS feature if IKEv2 can solve all cases. Can we configure
>IKEv2 such that between the same pair of host we have "ESP null for H.323"
>and "ESP for FTP"? If the draft cannot cover this case, then no-TS feature
>will be useful where it is needed.
>
>There are environments where people can trust all traffic through a tunnel.
>It can be used in those cases. We can have a firewall rule to encrypt all
>traffic going through some interface or accept only encrypted traffic
>through some interface. In a dynamic routing environment, this may be
>useful. People will find ways to use VPN if you do not make TS mandatory.
>With no-TS feature, we will have more port based VPNs. Making it optional
>does not hurt anyone. It will help us use VPNs in new ways.

it is important to remember that in developing a standard we try to 
accommodate a broad range of anticipated users, but we do not do so 
optimally. Making transmission of traffic selector info optional adds 
complexity to the system, because a compliant system has to be able 
to deal with this data, and to be able to deal with it's absence. I 
don't doubt that some folks might like to use some non-IPsec 
mechanism to achieve the same effect, but do we want to add 
complexity to the system in order to accommodate this set of 
prospective users?

Steve

References:
- RE: Move TS to optional (RE: Don't remove TS from IKEv2)
  - From: "Rajesh Mohan" <rajesh.mohan@nexsi.com>

Prev by Date: RE: Don't remove TS from IKEv2
Next by Date: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
Prev by thread: RE: Move TS to optional (RE: Don't remove TS from IKEv2)
Next by thread: Re: Move TS to optional (RE: Don't remove TS from IKEv2)
Index(es):
- Date
- Thread