Re: Configuration portion of OPEN ISSUES...

["Scott G. Kelly" <scott@airespace.com>]

Comments below...

Theodore Ts'o wrote:
> 
> On Tue, Feb 25, 2003 at 03:02:40PM -0800, Gregory Lebovitz wrote:
> > >     * Keep configuration payload and allow optional
> > >             RFC 3456-style configuration
> >
> > If I'm reading your options correctly, we (I THINK) had some consensus (or
> > at least strong interest) on the list for the last option, and some folks
> > are working on text to clarify it.
> 
> I THOUGHT we had some consensus for that as well, but right after
> Barbara and I gave Charlie editing directions for ikev2-05, and
> several days after I conclusion of the comment period for how to
> resolve these issues, a number of implementors, including Tero, Derek,
> Tylor Allison, argued against this position.  And others, including
> Scott Kelly and Pekka Riikonen, suggested a DHCP-over-IKE.  (Sorry for
> not including it in our original list.)  And none of the people in
> favor of keeping configuration payload spoke up.

For the record, I did not suggest DHCP-over-IKE, and I think Tero,
Derek, and Tylor did (and maybe Pekka too). There were a number of
others as well, including Gregory Lebovitz and Michael Richardson. For
my part, I suggested that it should be *discussed* as one possible
alternative, and I am glad to see that the discussion has not been
summarily abbreviated. 

Arguably, one of the reasons we are still discussing remote access
issues after 4 years of bickering is that the discussion process has not
truly been open. Directives have come down from the AD's and/or the wg
chairs without adequate open discussion of the issues and alternatives.
Remote access has been treated as an unwanted stepchild of ipsec, when
in fact, it is one to the primary commercial deployment scenarios for
ipsec today. 

Everyone here who has been participating must agree that at some times,
some topics have been off-limits - and it is not clear that this has
been appropriate. We will only reach an agreement (which may turn out to
be one that is distasteful in equal parts for all concerned) if the
process is open. Clearly it must be a bounded discussion in terms of
time, but it must be had in full regardless of its impact upon
artificial deadlines. Even though we all want to get this behind us asap
and move on, the discussion will never finally be closed until we all
agree that all realistic approaches have been fairly evaluated.

> One of the frustrating things about trying to determine consensus in
> the IPSEC wg is that the consensus seems to change from week to week,
> perhaps (in part) because some wg contributors are not reading this
> mailing list regularly.

I think a few of us have flip-flopped or otherwise significantly altered
our positions in the last month (or at least, I know that I have). For
my part, it has been largely due to running out of energy, and tiring of
the squabbling after so many years. I still have strong opinions about
how little need there is to impact ipsec/ike with remote access
configuration, but I am clearly in the minority, and in the interest of
forward progress, I have demonstrated my willingness to acknowledge my
fallibility, and to compromise and move forward. I would hope others
would do the same, and that the comment above is not intended to
criticize those who might do so.

Scott