[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
At 9:28 AM +0300 6/18/03, Tero Kivinen wrote:
>Stephen Kent writes:
>> syntax from 2402. Suggesting that we change AH to accommodate SEND's
>> possible use of it, in a fashion not consistent with the current
>> specs, is asking quite a lot.
>
>The SEND is a user of the AH. Are there any other real users for the
>AH? In earlier days there was people saying that we should remove the
>whole AH as nobody uses. Now there seems to be SEND that is using it,
>but they want to do something differently. Do we want to say to our
>(only?) user that no we do not allow you to do anything differently?
The way you seem to want to use AH is so different from normal IPsec
processing as to warrant having a different protocol, in my view. You
can't just appropriate the name of the protocol and its syntax, but
change the processing model.
>Do we want them to create another protocol replacing their use of AH?
>Another people who have been saying that they want to use AH is Mobile
>IP people. What do they want? Is the current spec fine with them or do
>the want similar processing than SEND?
Good question.
>Actually they quite often want to do demultiplexing based on the
>fields inside the mobility or routing header not the outer IP address.
>I.e they might need different demultiplexing algorithm too.
Then we have a BIG problem. So far I have not seen a mature proposal
from mobile IP that requires what you suggest.
>
>So the real questions are:
>
>
>Is there any use for the AH as it is now specified?
Very little. But, that does not mean that one can redefine it and
still have it be part of IPsec.
>What are application(s) / protocol(s) which will use it?
This is not the right question. The question is whether AH does what
you want for SEND. if not, and if the changes are significant, then
create a different protocol.
>If we cannot answer to those questions I think we should drop the
>current AH from the IPsec WG and say that SEND/Mobile IP etc can
>specify it so that it will be suitable for them :-)
The SEND WG can create its own protocol, but there is no technical
rationale for reusing the AH name. Reuse would only cause confusion.
>I do not want any generic text saying "someone might want to use it if
>the phase of the moon is full and ..., and,... and ... export control
>... and ... goverment ... and ...".
>
>I do want current real word example (where the current AH as specified
>in the current document) is actually used or is planned to be used. I
>do NOT see any use for the AH on the VPNs or road warriors IPsec
>clients.
We appear to disagree on the ground rules. You seem to be suggesting
that AH is like an abandoned ship, and whoever gets to it first can
claim the name and redefine it :-) If IPsec has no continuing use for
AH, then maybe we can retire the protocol number after a few years,
but we seem to have some folks who suggest otherwise. I think the
best course is to define a protocol that does what SEND needs and not
try to twist AH into that protocol.
Steve