[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Comments on draft-ietf-ipsec-rfc2402bis-03.txt based on SENDWG experiences
At 1:03 PM -0400 6/30/03, Theodore Ts'o wrote:
>Steve,
>
>Part of the problem here is that we are trying to put AH and ESP to
>bed before we take up the RFC 2401 revisions. The SEND working group,
>on the suggestion of Steve Bellovin, has essentially proposed a new
>key management scheme, uses an IP extension header to "establish"
>keying material which can then be used by the AH and ESP.
>
>I agree that it hasn't been fully specified in sufficient detail yet,
>but the basic premise does seem sound. To the extent that much of the
>processing rules are in 2401, as you have pointed out, does it make
>sense to perhaps delete the few sentences that outright prohibit what
>the SEND working group is trying to do, and defer that discussion for
>2401-bis discussion, just so we can send the AH and ESP documents to
>the IESG and get them off our hands? I agree that a protocol is not
>just syntax, but semantics too. However, much of the semantics is
>alreayd in architecture document, and we do have precedent for
>attempting to allow AH and ESP to be used by mutliple keying
>mechanisms beyond just IKE. (i.e., SKIP, Multicast Keying, etc.)
>
> - Ted
Ted,
We killed SKIP a long time ago, and I think that was the right
decision :-) The reserved SPI feature was a holdover from that time,
and maybe it too should go, to avoid giving folks the wrong
impression.
I am not yet comfortable with making these changes to accommodate
SEND, given the current status of the IPsec documents, the maturity
of the SEND work, etc. I suggest you ask Russ for his direction
before we proceed.
Steve