[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: addresses and IKEv2

To: k.brown@ccs.bbk.ac.uk
Subject: Re: addresses and IKEv2
From: Alex Alten <Alten@attbi.com>
Date: Mon, 27 May 2002 22:28:20 -0700
Cc: Stephen Kent <kent@bbn.com>, ipsec@lists.tislabs.com
In-Reply-To: <3CF1FD39.DBCC3653@ccs.bbk.ac.uk>
References: <3.0.3.32.20020523222844.0139a9d8@mail><3.0.3.32.20020517163806.013cc950@mail><3.0.3.32.20020517110546.013cbfc0@mail><3.0.3.32.20020517110546.013cbfc0@mail><3.0.3.32.20020517163806.013cc950@mail><3.0.3.32.20020523222844.0139a9d8@mail><3.0.3.32.20020524164356.01289ba0@mail>
Sender: owner-ipsec@lists.tislabs.com

Ken,

I appreciate your insightful remarks below.  You have "hit the nail on the 
head" as we say on this side of the Atlantic.  In fact your remarks contain
the nuggets of the solution, which as you have correctly pointed out, will
be both technical and political in nature.  My comments in response to
yours are interspersed with yours below.

Sincerely,
- Alex

At 10:32 AM 5/27/2002 +0100, Ken Brown wrote:
>Alex Alten wrote:
>
>[...snip...]
> 
>> To reiterate my position: IPsec needs to have a global, secure address
space
>> that uniquely identifies every participating host.  It needs to be
simple to
>> understand, distributable, and easy to manage.  And it needs to be able to
>> dynamically map into the IP address space on demand, including private
>> network non-routable addresses.
>> 
>> That's the requirements as I see them.  Anything less than this means
>> you can't use IPsec unencumbered across the Internet.
>
>
>The trouble is that potentially any device is an IPsec host (or should
>that be ("any device is potentially an IPsec host"?). So you need a
>scheme for naming everything. Which is a much bigger job than defining
>IPsec protocols, and has been tried a number of times, littering
>standard space with documents mostly beginning with "X."  - using the
>least bad existing system (whichever it happens to be) is almost
>certainly going to be more feasible than devising and managing your own
>- let alone persuading the entire world to use it. It's not as if such a
>thing can be invisibly built in to software that implements the protocol
>- you have to have a way of issuing names, controlling their use, and
>making sure the naming system itself is both robust and is reliable. 
>That's going to mean some central registry and a global network of
>keyservers or nameservers (even if they aren't called that).
>

I absolutely agree with this above paragraph.  I wish we could use an
existing standard, but unfortunately the successful ones require that
all the participants are to be trustworthy and will follow the rules.
This cannot be the basis of our address system, unfortunately we must
assume that a significant number of hosts will be untrustworthy (not
to mention the different policies of each organization that must be
enforced separately).

And yes, this probably means a set of key servers, probably one per
organization, across the Internet.  At first a central (trusted) 
registry may not be required, but once trusted organization networks
start linking up in great numbers then one, or a limited number, would
be needed.

>We can get away with a global namespace of, say, MAC addresses,
>hardwired into devices or assigned locally by software, because we don't
>/really/ care if someone doesn't play ball - as long as they remain on
>their own networks that's their problem. (well ,except for edge routers,
>but you see what I mean). It doesn't really have to secure or global
>(though it is a bit easier if it is global).  The IP namespace gets a
>lot more political and centralised, and the DNS even more political,
>because decentralised. And your system - in which everything has to be
>both globally unique /and/ secure, /and/ participating devices have to
>be able to find out each others names anywhere in the world - is also
>going to be complex and political. 
>

Yes, I'm afraid you are absolutely right. Technically I'm absolutely
certain we could come up with a very good model (you're right it doesn't
have to be secure or global, but it can't be as transient as IP addresses),
but then how to handle the politics of assigning blocks of addresses (or
whatever) will be a serious challenge. Also, especially in light of Sept.
11th, we will need be very careful about how we handle key distribution and
escrow.  The days of when a few long haired guys with PhD's here in the US
could quietly do things are long gone.

>Of course it might be that the statement "you can't use IPsec
>unencumbered across the Internet" is going to be true.
>

Which might not be such a bad thing in my mind.  I've not been happy
with the rest of the IPsec design, which I've documented thoroughly in
prior postings to this WG.  I wouldn't mind seeing a fresh start with a
clean sheet of paper (and with a lot fewer people involved).  I'll
probably get publicly flamed for these comments, right Dan?

>Ken Brown
>Birkbeck College, London University
>

--

Alex Alten
Alten@ATTBI.com

References:
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>
- Re: addresses and IKEv2
  - From: Ken Brown <k.brown@ccs.bbk.ac.uk>

Prev by Date: Re: addresses and IKEv2
Next by Date: Re: [saag] Re:
Prev by thread: Re: addresses and IKEv2
Next by thread: Re: addresses and IKEv2
Index(es):
- Date
- Thread