[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SENDWG experiences

To: "Theodore Ts'o" <tytso@mit.edu>
Subject: Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SENDWG experiences
From: Stephen Kent <kent@bbn.com>
Date: Mon, 30 Jun 2003 13:21:07 -0400
Cc: Pekka Nikander <pekka.nikander@nomadiclab.com>, Tero Kivinen <kivinen@ssh.fi>, ipsec@lists.tislabs.com, James Kempf <kempf@docomolabs-usa.com>, SEND WG <ietf-send@standards.ericsson.net>
In-Reply-To: <20030630170323.GC4051@think>
References: <4.3.2.7.2.20030526181608.04a3df00@mira-sjc5-4.cisco.com><3EEC2C43.9060302@nomadiclab.com><p0521060abb1582a7f219@[12.159.173.182]><16112.1673.849180.847121@ryijy.hel.fi.ssh.com><p05210608bb16d1a9bbfd@[12.159.173.182]><3EF16ED1.3040908@nomadiclab.com> <p05210615bb1fb50fc562@[192.168.0.149]><20030630170323.GC4051@think>
Sender: owner-ipsec@lists.tislabs.com

At 1:03 PM -0400 6/30/03, Theodore Ts'o wrote:
>Steve,
>
>Part of the problem here is that we are trying to put AH and ESP to
>bed before we take up the RFC 2401 revisions.  The SEND working group,
>on the suggestion of Steve Bellovin, has essentially proposed a new
>key management scheme, uses an IP extension header to "establish"
>keying material which can then be used by the AH and ESP. 
>
>I agree that it hasn't been fully specified in sufficient detail yet,
>but the basic premise does seem sound.  To the extent that much of the
>processing rules are in 2401, as you have pointed out, does it make
>sense to perhaps delete the few sentences that outright prohibit what
>the SEND working group is trying to do, and defer that discussion for
>2401-bis discussion, just so we can send the AH and ESP documents to
>the IESG and get them off our hands?  I agree that a protocol is not
>just syntax, but semantics too.  However, much of the semantics is
>alreayd in architecture document, and we do have precedent for
>attempting to allow AH and ESP to be used by mutliple keying
>mechanisms beyond just IKE.  (i.e., SKIP, Multicast Keying, etc.)
>
>						- Ted

Ted,

We killed SKIP a long time ago, and I think that was the right 
decision :-) The reserved SPI feature was a holdover from that time, 
and maybe it too should go, to avoid giving folks the wrong 
impression.

I am not yet comfortable with making these changes to accommodate 
SEND, given the current status of the IPsec documents, the maturity 
of the SEND work, etc.  I suggest you ask Russ for his direction 
before we proceed.

Steve

References:
- Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>
- Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SENDWG experiences
  - From: Stephen Kent <kent@bbn.com>
- Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SENDWG experiences
  - From: Tero Kivinen <kivinen@ssh.fi>
- Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
  - From: Stephen Kent <kent@bbn.com>
- Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
  - From: Pekka Nikander <pekka.nikander@nomadiclab.com>
- Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
  - From: Stephen Kent <kent@bbn.com>
- Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
Next by Date: Re: IKEv2: active user identity protection
Prev by thread: Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
Next by thread: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SEND WG experiences
Index(es):
- Date
- Thread