[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: addresses and IKEv2

To: Stephen Kent <kent@bbn.com>
Subject: Re: addresses and IKEv2
From: Alex Alten <Alten@attbi.com>
Date: Tue, 04 Jun 2002 12:20:11 -0700
Cc: ipsec@lists.tislabs.com
In-Reply-To: <p0510030eb9219d8c1135@[128.89.88.34]>
References: <3.0.3.32.20020602125529.01372aa0@mail><3.0.3.32.20020524164356.01289ba0@mail><3.0.3.32.20020523222844.0139a9d8@mail><3.0.3.32.20020517163806.013cc950@mail><3.0.3.32.20020517110546.013cbfc0@mail><3.0.3.32.20020517110546.013cbfc0@mail><3.0.3.32.20020517163806.013cc950@mail><3.0.3.32.20020523222844.0139a9d8@mail><3.0.3.32.20020524164356.01289ba0@mail><3.0.3.32.20020602125529.01372aa0@mail>
Sender: owner-ipsec@lists.tislabs.com

Steve,

Whom are you kidding?  Just because *you* don't change a DNS name bound
to a machine for 18 months doesn't mean that Yahoo doesn't on-the-fly
direct your HTTP post to one of 50 different servers depending on query
loads, etc.  When one designs a system one has to account for many
types of usage.  But at the same time you have to decide what to not
support.  For example should IPsec identify either a user or a host?
I would argue that only a host, and possibly a port, should be
identified, since IPsec is operating between the routing and transport
layers.

For you it may be simple to juggle multiple types of addresses (DNS, IP,
email, whatever). But to establish and manage IPsec sessions reliably
across millions of machines and tens of thousands of organizations, day
after day, year in and year out, with software written by hundred's of
protocol programmers in many companies and countries, is in practice a 
nightmare. It took 3 years for the industry to be able to interoperate
with 3DES, some firms had to go through certification half a dozen times.
Is that what you want the industry to go through again by requiring
multiple ways of addressing hosts? To be successful, IPsec needs a simple
way to retrieve the key that actually does the work of authenticating the
host.  Neither DNS nor IP address are designed to do this well, they do
their respective existing jobs only too well.

Neither an IP address nor a DNS name will work because they are too
ephemeral.  Binding them into a certificate is just a snapshot of a
transient address to host key binding. All it does is introduce more
complexity, with certs littered about containing outdated host addresses,
not to mention yet another interoperability headache with certificate
authorities, revocation lists, etc.

BTW, quit asking for a definition of "security".  You know damn well it's
self referential.  It's like asking for a definition of "money" or "time".

For that matter, so is the definition of an IPsec host "address".

- Alex


--

Alex Alten
Alten@ATTBI.com

Follow-Ups:
- Re: addresses and IKEv2
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: addresses and IKEv2
  - From: Alex Alten <Alten@attbi.com>
- Re: addresses and IKEv2
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Remove from Email List
Next by Date: Last Call: On the Use of SCTP with IPsec to Proposed Standard
Prev by thread: Re: addresses and IKEv2
Next by thread: Re: addresses and IKEv2
Index(es):
- Date
- Thread