IETF Logo Mail Archive

Re: TLS vs. IPsec (Was: Re: experiments in the ietf week)

Ned Freed <ned.freed@mrochek.com> Tue, 25 March 2008 15:22 UTC

Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietfarch-ietf-archive@core3.amsl.com
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 65DE328C46D; Tue, 25 Mar 2008 08:22:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.402
X-Spam-Level:
X-Spam-Status: No, score=-100.402 tagged_above=-999 required=5 tests=[AWL=0.035, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kvrY8z+enyAE; Tue, 25 Mar 2008 08:22:28 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E30828C415; Tue, 25 Mar 2008 08:22:28 -0700 (PDT)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D32AC28C1AD for <ietf@core3.amsl.com>; Tue, 25 Mar 2008 08:22:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DyjQfnUUcH3W for <ietf@core3.amsl.com>; Tue, 25 Mar 2008 08:22:26 -0700 (PDT)
Received: from mauve.mrochek.com (dsl-66-59-230-40.static.linkline.com [66.59.230.40]) by core3.amsl.com (Postfix) with ESMTP id 8FF9728C25A for <ietf@ietf.org>; Tue, 25 Mar 2008 08:22:25 -0700 (PDT)
MIME-version: 1.0
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01MSTYD8XY8G0005SH@mauve.mrochek.com> for ietf@ietf.org; Tue, 25 Mar 2008 08:20:05 -0700 (PDT)
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01MSTEIPBSLS00007A@mauve.mrochek.com>; Tue, 25 Mar 2008 08:20:03 -0700 (PDT)
Message-id: <01MSTYD7X60O00007A@mauve.mrochek.com>
Date: Tue, 25 Mar 2008 08:11:37 -0700
From: Ned Freed <ned.freed@mrochek.com>
Subject: Re: TLS vs. IPsec (Was: Re: experiments in the ietf week)
In-reply-to: "Your message dated Tue, 25 Mar 2008 14:32:27 +0100" <252541B2-61F3-4B6E-89B1-E3724CB182CC@muada.com>
References: <200803160116.m2G1GAGv003720@drugs.dv.isc.org> <340BF503-AE02-420E-8AE8-C99DC38088C6@muada.com> <20080319053351.3A3621B947A@kilo.rtfm.com> <32F1E943-3069-451D-9EFC-E81244A46C4C@muada.com> <2788466ED3E31C418E9ACC5C316615570850B7@mou1wnexmb09.vcorp.ad.vrsn.com> <47E7EBD8.7040707@piuha.net> <252541B2-61F3-4B6E-89B1-E3724CB182CC@muada.com>
To: Iljitsch van Beijnum <iljitsch@muada.com>
DKIM-Signature: a=rsa-sha1; c=nowsp; d=mrochek.com; s=mauve; t=1206458404; h=Date: From:Subject:MIME-version:Content-type; b=DLhR3dCNvKyuAMQ+TH2msrcwf MRnE/oIoFpd67OvnssbIOy4n2XOXxeJUeSmLiYsSdmecZtvIASBhhYz1qsMqQ==
Cc: Jari Arkko <jari.arkko@piuha.net>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

> On 24 mrt 2008, at 18:58, Jari Arkko wrote:

> > Now, if we had a proposal that turned IPsec into as easily deployable
> > between random clients and known servers as TLS, I would be interested
> > in a new experiment! But I did not see a proposal for that yet. Maybe
> > time for that draft that Phillip suggested in another thread,
> > Iljitsch?

> I'm afraid that won't work because of scheduling conflicts if I wanted
> to present such a draft to the appropriate SEC area wg...

> A quick s/TLS/IPsec/g isn't realistic, but I would certainly be
> interested in seeing one or more IETF services use some kind of IPsec
> protection in order to see if this is workable in practice. There are
> APIs that allow applications to set this up on a per-application
> basis, unless I'm mistaken.

I believe you're mistaken. There is much work that needs to be done in this
area before it will be possible for applications to use IPsec this way. The
good news is that the BTNS WG is actively working to fill this gap; see

    An abstract interface between applications and IPsec (draft-ietf-btns-abstract-api-01.txt)
    IPsec Channels: Connection Latching (draft-ietf-btns-connection-latching-06)
    IPsec Application Programming Interfaces (draft-ietf-btns-c-api-03)

But even if this work is successful it will be many years before the necessary
support is sufficiently widely implemented and deployed to be usable, assuming
that ever happens.

				Ned
_______________________________________________
IETF mailing list
IETF@ietf.org
https://www.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email