[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SENDWG experiences

At 1:03 PM -0400 6/30/03, Theodore Ts'o wrote:
>Part of the problem here is that we are trying to put AH and ESP to
>bed before we take up the RFC 2401 revisions.  The SEND working group,
>on the suggestion of Steve Bellovin, has essentially proposed a new
>key management scheme, uses an IP extension header to "establish"
>keying material which can then be used by the AH and ESP. 
>I agree that it hasn't been fully specified in sufficient detail yet,
>but the basic premise does seem sound.  To the extent that much of the
>processing rules are in 2401, as you have pointed out, does it make
>sense to perhaps delete the few sentences that outright prohibit what
>the SEND working group is trying to do, and defer that discussion for
>2401-bis discussion, just so we can send the AH and ESP documents to
>the IESG and get them off our hands?  I agree that a protocol is not
>just syntax, but semantics too.  However, much of the semantics is
>alreayd in architecture document, and we do have precedent for
>attempting to allow AH and ESP to be used by mutliple keying
>mechanisms beyond just IKE.  (i.e., SKIP, Multicast Keying, etc.)
>						- Ted


We killed SKIP a long time ago, and I think that was the right 
decision :-) The reserved SPI feature was a holdover from that time, 
and maybe it too should go, to avoid giving folks the wrong 

I am not yet comfortable with making these changes to accommodate 
SEND, given the current status of the IPsec documents, the maturity 
of the SEND work, etc.  I suggest you ask Russ for his direction 
before we proceed.