[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: addresses and IKEv2

To: Alex Alten <Alten@attbi.com>
Subject: Re: addresses and IKEv2
From: Ken Brown <k.brown@ccs.bbk.ac.uk>
Date: Mon, 27 May 2002 10:32:41 +0100
CC: Stephen Kent <kent@bbn.com>, ipsec@lists.tislabs.com
Organization: Birkbeck College Central Computing Services
References: <3.0.3.32.20020523222844.0139a9d8@mail> <3.0.3.32.20020517163806.013cc950@mail> <3.0.3.32.20020517110546.013cbfc0@mail> <3.0.3.32.20020517110546.013cbfc0@mail> <3.0.3.32.20020517163806.013cc950@mail> <3.0.3.32.20020523222844.0139a9d8@mail> <3.0.3.32.20020524164356.01289ba0@mail>
Reply-To: k.brown@ccs.bbk.ac.uk
Sender: owner-ipsec@lists.tislabs.com

Alex Alten wrote:

[...snip...]

> To reiterate my position: IPsec needs to have a global, secure address space
> that uniquely identifies every participating host.  It needs to be simple to
> understand, distributable, and easy to manage.  And it needs to be able to
> dynamically map into the IP address space on demand, including private
> network non-routable addresses.
> 
> That's the requirements as I see them.  Anything less than this means
> you can't use IPsec unencumbered across the Internet.

The trouble is that potentially any device is an IPsec host (or should
that be ("any device is potentially an IPsec host"?). So you need a
scheme for naming everything. Which is a much bigger job than defining
IPsec protocols, and has been tried a number of times, littering
standard space with documents mostly beginning with "X."  - using the
least bad existing system (whichever it happens to be) is almost
certainly going to be more feasible than devising and managing your own
- let alone persuading the entire world to use it. It's not as if such a
thing can be invisibly built in to software that implements the protocol
- you have to have a way of issuing names, controlling their use, and
making sure the naming system itself is both robust and is reliable. 
That's going to mean some central registry and a global network of
keyservers or nameservers (even if they aren't called that).

We can get away with a global namespace of, say, MAC addresses,
hardwired into devices or assigned locally by software, because we don't
/really/ care if someone doesn't play ball - as long as they remain on
their own networks that's their problem. (well ,except for edge routers,
but you see what I mean). It doesn't really have to secure or global
(though it is a bit easier if it is global).  The IP namespace gets a
lot more political and centralised, and the DNS even more political,
because decentralised. And your system - in which everything has to be
both globally unique /and/ secure, /and/ participating devices have to
be able to find out each others names anywhere in the world - is also
going to be complex and political. 

Of course it might be that the statement "you can't use IPsec
unencumbered across the Internet" is going to be true.

Ken Brown
Birkbeck College, London University

Follow-Ups:
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>

References:
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>

Prev by Date: Re: [saag] Re:
Next by Date: Re: addresses and IKEv2
Prev by thread: Re: addresses and IKEv2
Next by thread: Re: addresses and IKEv2
Index(es):
- Date
- Thread