[anonsec] Changes for draft-ietf-btns-connection-latching-07

Nicolas Williams <Nicolas.Williams@sun.com> Tue, 15 April 2008 14:56 UTC

Return-Path: <anonsec-bounces@postel.org>
X-Original-To: ietfarch-btns-archive-waDah9Oh@core3.amsl.com
Delivered-To: ietfarch-btns-archive-waDah9Oh@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 98B6A3A6EF7 for <ietfarch-btns-archive-waDah9Oh@core3.amsl.com>; Tue, 15 Apr 2008 07:56:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.496
X-Spam-Status: No, score=-2.496 tagged_above=-999 required=5 tests=[AWL=0.103, BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id TRUy2U3ujXYq for <ietfarch-btns-archive-waDah9Oh@core3.amsl.com>; Tue, 15 Apr 2008 07:56:02 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu []) by core3.amsl.com (Postfix) with ESMTP id C14DA3A6EF3 for <btns-archive-waDah9Oh@lists.ietf.org>; Tue, 15 Apr 2008 07:56:02 -0700 (PDT)
Received: from boreas.isi.edu (localhost []) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m3FEWjTY024754; Tue, 15 Apr 2008 07:32:46 -0700 (PDT)
Received: from brmea-mail-1.sun.com (brmea-mail-1.Sun.COM []) by boreas.isi.edu (8.13.8/8.13.8) with ESMTP id m3FEW2T2024417 for <anonsec@postel.org>; Tue, 15 Apr 2008 07:32:02 -0700 (PDT)
Received: from dm-central-02.central.sun.com ([]) by brmea-mail-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id m3FEVvXK006677 for <anonsec@postel.org>; Tue, 15 Apr 2008 14:31:58 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM []) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id m3FEVvY7051861 for <anonsec@postel.org>; Tue, 15 Apr 2008 08:31:57 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost []) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1) with ESMTP id m3FEVv0B012623 for <anonsec@postel.org>; Tue, 15 Apr 2008 09:31:57 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.1+Sun/8.14.1/Submit) id m3FEVv6o012622 for anonsec@postel.org; Tue, 15 Apr 2008 09:31:57 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Tue, 15 Apr 2008 09:31:57 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: anonsec@postel.org
Message-ID: <20080415143157.GH8027@Sun.COM>
Mail-Followup-To: anonsec@postel.org
Mime-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.5.7i
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: nicolas.williams@sun.com
Subject: [anonsec] Changes for draft-ietf-btns-connection-latching-07
X-BeenThere: anonsec@postel.org
X-Mailman-Version: 2.1.6
Precedence: list
List-Id: "Discussions of anonymous Internet security." <anonsec.postel.org>
List-Unsubscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=unsubscribe>
List-Archive: <http://mailman.postel.org/pipermail/anonsec>
List-Post: <mailto:anonsec@postel.org>
List-Help: <mailto:anonsec-request@postel.org?subject=help>
List-Subscribe: <http://mailman.postel.org/mailman/listinfo/anonsec>, <mailto:anonsec-request@postel.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: anonsec-bounces@postel.org
Errors-To: anonsec-bounces@postel.org

At Philadelphia I had a conversation with Daniel Migault about
connection latching.  Daniel's main insight was that the key task for us
in this I-D was to make absolutely clear what is the impact of this work
on the IPsec architecture, and that that impact is minimal, or none

Daniel subsequently posted suggested text and ASCII art, and though I
used very little of that text as is, Daniel's text and art inspired me
to follow along those lines.

So I made the following changes:

 - Simplified and clarified the connection latch state machine,
   including a state machine diagram.

 - Tailored the description of the normative model of connection
   latching to make clear that at its bare minimum it's just a purely
   local conflict detection and notification mechanism.

 - All features whereby local policy is logically updated are now
   optional, with clear warnings that no such logical policy updates
   survive reboots.

 - Added text to the security considerations section about the impact of
   this feature on the IPsec architecture.  The impact of optional
   features is described in a separate section.

 - Added an informative diagram showing the relationships between
   various components of an IPsec w/ connection latching system, all in
   terms likely to be understood by operating systems developers.

 - Added a section describing how connection latching works for each of
   the three major transport protocols, even though all the details
   therein follow from the remainder of the draft.  I thought it would
   be good to show that the details relating to SCTP were as simple as
   those relating to TCP.

The URL to the rfcdiff tool for the diffs between -06 and -07 is:


[No, I've not yet spell-checked -07.  I just noticed I misspelt
"simultaneous" -- how embarrassing.]