Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences

[Stephen Kent <kent@bbn.com>]

At 9:28 AM +0300 6/18/03, Tero Kivinen wrote:
>Stephen Kent writes:
>>  syntax from 2402. Suggesting that we change AH to accommodate SEND's
>>  possible use of it, in a fashion not consistent with the current
>>  specs, is asking quite a lot.
>
>The SEND is a user of the AH. Are there any other real users for the
>AH? In earlier days there was people saying that we should remove the
>whole AH as nobody uses. Now there seems to be SEND that is using it,
>but they want to do something differently. Do we want to say to our
>(only?) user that no we do not allow you to do anything differently?

The way you seem to want to use AH is so different from normal IPsec 
processing as to warrant having a different protocol, in my view. You 
can't just appropriate the name of the protocol and its syntax, but 
change the processing model.

>Do we want them to create another protocol replacing their use of AH?
>Another people who have been saying that they want to use AH is Mobile
>IP people. What do they want? Is the current spec fine with them or do
>the want similar processing than SEND?

Good question.

>Actually they quite often want to do demultiplexing based on the
>fields inside the mobility or routing header not the outer IP address.
>I.e they might need different demultiplexing algorithm too.

Then we have a BIG problem. So far I have not seen a mature proposal 
from mobile IP that requires what you suggest.

>
>So the real questions are:
>
>
>Is there any use for the AH as it is now specified?

Very little. But, that does not mean that one can redefine it and 
still have it be part of IPsec.

>What are application(s) / protocol(s) which will use it?

This is not the right question. The question is whether AH does what 
you want for SEND. if not, and if the changes are significant, then 
create a different protocol.

>If we cannot answer to those questions I think we should drop the
>current AH from the IPsec WG and say that SEND/Mobile IP etc can
>specify it so that it will be suitable for them :-)

The SEND WG can create its own protocol, but there is no technical 
rationale for reusing the AH name. Reuse would only cause confusion.

>I do not want any generic text saying "someone might want to use it if
>the phase of the moon is full and ..., and,... and ... export control
>... and ... goverment ... and ...".
>
>I do want current real word example (where the current AH as specified
>in the current document) is actually used or is planned to be used. I
>do NOT see any use for the AH on the VPNs or road warriors IPsec
>clients.

We appear to disagree on the ground rules. You seem to be suggesting 
that AH is like an abandoned ship, and whoever gets to it first can 
claim the name and redefine it :-) If IPsec has no continuing use for 
AH, then maybe we can retire the protocol number after a few years, 
but we seem to have some folks who suggest otherwise. I think the 
best course is to define a protocol that does what SEND needs and not 
try to twist AH into that protocol.

Steve