[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences



Steve,

Part of the problem here is that we are trying to put AH and ESP to
bed before we take up the RFC 2401 revisions.  The SEND working group,
on the suggestion of Steve Bellovin, has essentially proposed a new
key management scheme, uses an IP extension header to "establish"
keying material which can then be used by the AH and ESP.  

I agree that it hasn't been fully specified in sufficient detail yet,
but the basic premise does seem sound.  To the extent that much of the
processing rules are in 2401, as you have pointed out, does it make
sense to perhaps delete the few sentences that outright prohibit what
the SEND working group is trying to do, and defer that discussion for
2401-bis discussion, just so we can send the AH and ESP documents to
the IESG and get them off our hands?  I agree that a protocol is not
just syntax, but semantics too.  However, much of the semantics is
alreayd in architecture document, and we do have precedent for
attempting to allow AH and ESP to be used by mutliple keying
mechanisms beyond just IKE.  (i.e., SKIP, Multicast Keying, etc.)

						- Ted