[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IKEv2 transport concerns

To: Black_David@emc.com
Subject: RE: IKEv2 transport concerns
From: Stephen Kent <kent@bbn.com>
Date: Fri, 20 Dec 2002 11:03:38 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <277DD60FB639D511AC0400B0D068B71E0564C602@corpmx14.us.dg.com>
References: <277DD60FB639D511AC0400B0D068B71E0564C602@corpmx14.us.dg.com>
Sender: owner-ipsec@lists.tislabs.com

At 8:46 PM -0500 12/6/02, Black_David@emc.com wrote:
>  > >>  >I think it needs to be in both places.  We have a one-time
>opportunity
>>  >>  >to avoid the IKEv1 ECN negotiation kludge if all IKEv2
>implementations
>>  >>  >are REQUIRED to handle ECN correctly at tunnel egress.  IMHO, this
>>  >>  >outcome is important enough to merit specifying the means of
>achieving
>>  >>  >it in both the IKEv2 and RFC2401bis documents.  If we wind up dealing
>>  >>  >with IKEv2 systems that get this wrong, the negotiation kludge will
>be
>>  >>  >with us for much longer ...
>>  >>
>>  >>  David,
>>  >>
>>  >>  I don't think the IKE v2 document is the appropriate place to make
>>  >>  note of the ECN handling you refer to, since it applies to the
>>  >>  actions performed on the child SAs that IKE establishes, not on the
>>  >>  IKE SAs, right? It really is a 2401bis matter, I believe.
>>  >>
>>  >>  Steve
>>  >
>>  >Will 2401bis progress on a timeline that will allow a normative reference
>>  >to it from IKEv2?  If so having IKEv2 say "MUST do ECN right, see 2401bis
>>  >for details" would be fine.  I'm concerned that no mention of this at all
>in
>>  >IKEv2 implicitly allows IKEv2 to negotiate 2401classic style tunnel
>handling
>>  >of ECN, and that would be unfortunate.
>>
>>  David,
>>
>>  I doubt that IKE v2 and 2401 bis will be issued concurrently. But, my
>>  concern is over where a requirement belongs in our documents, more
>>  than what gets it out soonest. I recognize the value in the time to
>>  market issue you raise, but I think putting requirement in the proper
>>  place is more important.
>>
>>  Steve
>
>Steve,
>
>Would you be amenable to an approach based on a small draft that
>contains just the tunnel encapsulation/decapsulation material needed
>to specify ECN handling for tunnel-mode SAs?  That could be put
>together in short enough order to allow IKEv2 to use a "MUST" to
>reference it without delaying IKEv2.  When 2401bis is ready, it
>would obsolete both the new small tunnel draft and 2401 itself,
>so that the requirement winds up in the right place.  I'll sign
>up to write the small ECN handling draft on a schedule that won't
>hold up IKEv2. 
>
>If 2401bis gets done faster than expected, the new small ECN handling
>draft could vanish without a trace, having served its purposes
>of preventing 2401-classic tunnel (mis)handling of ECN in SAs set up
>by IKEv2, and allowing us to leave the IKEv1 ECN negotiation
>kludge on the scrap heap where it belongs.
>
>Thanks,
>--David

David,

I'm in favor of keeping the ECN processing separate from IKE v2, so 
to that extent the separate draft sounds good. However, I would like 
to be reminded of the reason for having a reference to the separate 
draft in IKE v2.

Steve

References:
- RE: IKEv2 transport concerns
  - From: Black_David@emc.com

Prev by Date: Re: speaking of keys
Next by Date: Re: Secure legacy authentication for IKEv2
Prev by thread: Re: IKEv2 transport concerns
Next by thread: RE: IKEv2 transport concerns
Index(es):
- Date
- Thread