[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.3 Authentication styles

To: Stephen Kent <kent@bbn.com>
Subject: Re: SOI QUESTIONS: 2.3 Authentication styles
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Fri, 21 Jun 2002 08:32:07 -0700 (PDT)
cc: IP Security List <ipsec@lists.tislabs.com>
In-Reply-To: <p0510030cb938c1276a4f@[12.159.173.142]>
Sender: owner-ipsec@lists.tislabs.com

Steve,

If you think the RFC 2401 issue that you bring up is a technical reason
for rejecting L2TP+IPsec, think again.

For the benefit of people who didn't go through this discussion I would
like to say that, IMHO, this issue of RFC 2410 and L2TP+IPsec not being
able to mandate 'static packet filtering', is not only NOT a technical
issue, but also the most absurd issue that we(all supporters of
L2TP+IPsec) had to put up with, in the discussion. It should be amply
clear to anyone who is reading this thread that there is no consistency in
Steve's argument.

Ofcourse there are always some people who want to take credit for
everything, and even take credit for the fact that something useful was
rejected!

We had so much of technical discussion, but in the end, it just felt like
there was any technical reason that we did not address. We may not have
had the moral majority, but a lot of stuff that goes on here doesn't have
it too.

I think, RFC 2401 is the single biggest hurdle for IPsec technology. How
can we document 'IPsec architecture' in a single document 5 years ago.
IPsec is being used in so many different scenarios, and in so many
different and creative ways. To think that we can provide so much useless
information in an RFC, and still make it useful is beyond me. I generally
advice people who want to start on IPsec to just skip RFC 2401, and come
back to it only after they know IPsec a little bit, so that they can weed
out the useless stuff efficiently. I think the duality of this WG, not
being able to decide whether 'remote access' belongs here or not, is
somewhat due to our closed definition of 'IPsec architecture'.

    chinna

On Fri, 21 Jun 2002, Stephen Kent wrote:

> At 8:44 PM -0700 6/20/02, Chinna N.R. Pellacuru wrote:
> >Not an inefficiency if you don't run a firewall in your implementation,
> >and your standard of security is only what is provided by a 'static packet
> >filter'. We call that ACL functionality, not even a firewall
> >functionality.
> >
> >     chinna
> >
>
> The term "ACL" is well understood in the information security
> literature for over 30 years. It is quaint that Cisco (I assume the
> "we" above) has adopted that term for a particilaur functionality in
> their products, but Cisco's effective monopoly status in the router
> product arena does not confer and special status on the neologistic
> use of the term.
>
> Steve
>

__
chinna narasimha reddy pellacuru
"Moral Clarity: Def. When you do it, it is moral relativism, when I do it,
it is the repudiation of moral equivalence."

Follow-Ups:
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: RE: SOI QUESTIONS: 2.5 Plausible denaibility
Next by Date: Re: SOI QUESTIONS: 2.3 Authentication styles
Prev by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Next by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Index(es):
- Date
- Thread