Re: is manual keying mandatory

[Steve Sneddon <sned@cisco.com>]

Ted, thanks for expressing the position I take 99.999% of the time. However,
I'm afraid that I see this as a big issue. At it's heart, it's a
"commercial" issue, a kind of problem we haven't had to deal with as much as
other (harder?) technical issues. But, if companies can't make a successful
IPSec product, then that's a problem in my book (I know not in everybody's
book, etc. etc., please let's not rehash *that* issue again ;=)). And I
think there's a very cogent case to be made that manual keying can't "work"
(in a commercial sense of being scalable, supportable, security-risk-free,
etc.) in everyday use on 10's of millions of machines - a space that certain
people are trying to address with commercial products.

Would it be a good thing if some major (numbers-wise) implementations were
explicitly non-compliant? That might be the alternative. How would that help
the overall situation?

All this is the reason why I asked for information from people on the topic.
There's still lots of issues outside of the IPSec specs that need
addressing. Yet practically nobody responded with the detail I requested.
Given how quick people usually are on this list, I take that as evidence
that nobody's doing it in a general way... Or maybe it's so hard they want
to keep it to themselves for competitive reasons :=} ?

Regards all,
Steve

At 02:10 PM 3/20/98 -0500, Theodore Y. Ts'o wrote:
>
>
>Can we please consider the issue of manual keying to be closed, please?
>We've gone over this before many times --- and the only way to make
>progress is to avoid continually revisiting issues which we've decided
>in the past.  The Security Architecture document very clearly states
>that manual keying is mandatory; there shouldn't be any confusion on
>this issue at all.  Some of you may disagree with this decision, but we
>decided this months ago.  Can we please give it a rest?
>
>							- Ted
>
>
>