IETF Logo Mail Archive

Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE extension for Transport mode

Joe Touch <touch@isi.edu> Wed, 17 September 2014 22:52 UTC

Return-Path: <touch@isi.edu>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DD741A0AF6 for <ipsec@ietfa.amsl.com>; Wed, 17 Sep 2014 15:52:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.852
X-Spam-Level:
X-Spam-Status: No, score=-5.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.652] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l4Kp6X5Nnzd0 for <ipsec@ietfa.amsl.com>; Wed, 17 Sep 2014 15:52:52 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86F3C1A04E8 for <ipsec@ietf.org>; Wed, 17 Sep 2014 15:52:52 -0700 (PDT)
Received: from [128.9.160.211] (mul.isi.edu [128.9.160.211]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id s8HMqFGp023915 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 17 Sep 2014 15:52:15 -0700 (PDT)
Message-ID: <541A109E.1070405@isi.edu>
Date: Wed, 17 Sep 2014 15:52:14 -0700
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: Paul Wouters <paul@nohats.ca>, Yaron Sheffer <yaronf.ietf@gmail.com>
References: <54131C57.2060605@gmail.com> <alpine.LFD.2.10.1409121350180.31178@bofh.nohats.ca>
In-Reply-To: <alpine.LFD.2.10.1409121350180.31178@bofh.nohats.ca>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: http://mailarchive.ietf.org/arch/msg/ipsec/Gr50_3OhiXMbc1OadrWc9vYb80U
Cc: ipsec <ipsec@ietf.org>
Subject: Re: [IPsec] Call for adoption: MOBIKEv2: MOBIKE extension for Transport mode
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Sep 2014 22:52:54 -0000


On 9/12/2014 11:02 AM, Paul Wouters wrote:
> On Fri, 12 Sep 2014, Yaron Sheffer wrote:
> 
>> This is a call for adopting draft-mglt-ipsecme-mobikev2 as a WG
>> document. Please respond to this mail with a Yes or No and a short
>> rationale, at latest by Friday Sep. 19.
> 
> This document confuses me.
> 
> It seems section 4 to 7 are about much more than just transport mode. It
> seems to (re?)introduce versioning, non-transport notify payloads, etc.
> 
> MOBIKE is about keeping your assigend address with you, making your
> inner IP consistent regardless of the outer IP. That makes no sense
> with transport mode, which is tied to your ephemeral outer address.
> 
> Transport mode IPsec is terrible idea in todays NATed world. It should
> die, not see more use. 

See RFC 3884. Just because you're getting rid of IPsec-controlled
tunnels doesn't mean you have to give up tunnels, and using separate
IP-in-IP tunneling has distinct advantages in today's dynamic routed,
virtual networked world.

If you want to pick something to die, please kill IPsec tunnel mode as
an integrated beast.

Joe

v2.23.0 | Report a Bug | By Email