[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTION: 6.5 Extensibility of the protocols

To: "Theodore Ts'o" <tytso@mit.edu>
Subject: Re: SOI QUESTION: 6.5 Extensibility of the protocols
From: Jan Vilhuber <vilhuber@cisco.com>
Date: Thu, 18 Jul 2002 18:40:06 -0700 (PDT)
cc: <ipsec@lists.tislabs.com>
In-Reply-To: <E17SzD3-0001rR-00@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

On Fri, 12 Jul 2002, Theodore Ts'o wrote:

>
> Please discuss and answer the following question (last one!):
>
>
> 6.5 Extensibility of the protocols
>
> 6.5.A) Should SOI have mechanisms for allowing extensions to the SOI
> protocol?
>

Absolutely. Yes. Being able to prototype and roll out non-standard
extension is how progress is made. Xauth and config-mode break that
rule, of course (because they break interoperability). We wouldn't be
able to talk about keepalives without having rolled it out as an
extension, for example.

That being said, there needs to be a better way than the vendor ID (I
prefer radius' mechanism (attribute 26 Vendor Specific in rfc 2138); I
can dig out my proposal to do such a mechanism in IKE if people are
interested).

> 6.5.B) Should SOI need a way to mark new extensions as critical?
> (i.e. If you don't understand a critical extension you must fail the
> entire negotiation)
>

Sounds good to me. I'm not a strong advocate of the critical bit, but
I can see its value.

jan

> Implications from the Scenarios:
>
> VPN, End-to-End, : <<<Extensions to the IPsec (now known as phase 2)
> parameters are needed in order to negotiate QoS characteristics for
> the various tunnels.>>> [[[6.5]]]
>
> IPS: <<<However, the discussion in [ietf-ips-security-xx.txt] calls out
> requirements for an API, in order to provide a means of pushing
> authentication information to the application (e.g. "this peer was
> authenticated with this cert"), so the application can decide what types
> of transactions are allowed by this peer.>>> [[[6.5]]]
>
> PPVPN/MPLS: <<<it may make sense to expand the set of phase 2
> identifiers to also support an MPLS/VPN identifier (so the entity
> doing the SPD check can be separated from the entity doing the
> encapsulation).>>> [[[6.5]]]
>
> Implications from the Scenarios:
>
> [none]
>

 --
Jan Vilhuber                                            vilhuber@cisco.com
Cisco Systems, San Jose                                     (408) 527-0847

http://www.eff.org/cafe

References:
- SOI QUESTION: 6.5 Extensibility of the protocols
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: SOI QUESTION: 6.4 Code-preservingness
Next by Date: Re: One base SOI ID? Humm
Prev by thread: SOI QUESTION: 5.3-6.5
Next by thread: RE: SOI QUESTION: 6.5 Extensibility of the protocols
Index(es):
- Date
- Thread