[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences

To: Pekka Nikander <pekka.nikander@nomadiclab.com>
Subject: Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
From: Stephen Kent <kent@bbn.com>
Date: Wed, 25 Jun 2003 18:07:58 -0400
Cc: Tero Kivinen <kivinen@ssh.fi>, ipsec@lists.tislabs.com, James Kempf <kempf@docomolabs-usa.com>, SEND WG <ietf-send@standards.ericsson.net>
In-Reply-To: <3EF16ED1.3040908@nomadiclab.com>
References: <4.3.2.7.2.20030526181608.04a3df00@mira-sjc5-4.cisco.com><3EEC2C43.9060302@nomadiclab.com><p0521060abb1582a7f219@[12.159.173.182]><16112.1673.849180.847121@ryijy.hel.fi.ssh.com><p05210608bb16d1a9bbfd@[12.159.173.182]> <3EF16ED1.3040908@nomadiclab.com>
Sender: owner-ipsec@lists.tislabs.com

At 11:05 AM +0300 6/19/03, Pekka Nikander wrote:

	<SNIP>

>>>Is there any use for the AH as it is now specified?
>>
>>Very little. But, that does not mean that one can redefine it and 
>>still have it be part of IPsec.
>
>Just out of curiosity: How do you define IPsec?  RFC2401?

RFC 2401 defines IPsec processing and semantics. ESP and AH are the 
two subscriber traffic protocols whose syntax is separately defined. 
We put the common processing and context discussion in 2401, to avoid 
repetition. I do not view AH and ESP as protocols that should be 
viewed outside of the context of 2401.

>
>>The SEND WG can create its own protocol, but there is no technical 
>>rationale for reusing the AH name. Reuse would only cause confusion.
>
>In my (in this case very) humble opinion, I think that the question
>of reusing the AH name depends on the intent of the protocol, not
>only on its syntax.  If the goal is the same, to provide integrity
>and data origin authentication for the whole IP packet, including the
>immutable or predictable header fields, then I think that the protocol
>could and should be called AH.  If it uses public key crypto, and
>thereby creates (conceptual) Security Associations that are associated
>with the source of the packet rather than the destination, even for
>unicast, that does not change the intent.
>
>OTOH, I do agree that embedding KMP functionality into the AH header
>does not sound that good an idea.  However, it did not appear to me how
>to separate the KMP functionality before I started to implement the
>current SEND proposal.

Embedding key management data in the transit traffic headers is what 
SKIP proposed a long time ago. The IPsec WG spent over 2 years 
arguing about this before we adopted IKE.

>AH has a long history.  I think it would be better to return to the
>some early goals of AH rather than to deprecate it and start anew.

Some of the early goals are no longer relevant, e.g., because of the 
advent of integrity-only ESP.

Steve

Follow-Ups:
- Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
  - From: "Theodore Ts'o" <tytso@mit.edu>

References:
- Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>
- Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SENDWG experiences
  - From: Stephen Kent <kent@bbn.com>
- Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SENDWG experiences
  - From: Tero Kivinen <kivinen@ssh.fi>
- Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
  - From: Stephen Kent <kent@bbn.com>
- Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>

Prev by Date: Re: AHbis comments
Next by Date: Re: LAST CALL: IKE
Prev by thread: Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
Next by thread: Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
Index(es):
- Date
- Thread