Re: problems with draft-jenkins-ipsec-rekeying-06.txt
Dan Harkins <dharkins@cips.nokia.com> Tue, 18 July 2000 01:26 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by ns.secondary.com (8.9.3/8.9.3) with ESMTP id SAA02181; Mon, 17 Jul 2000 18:26:06 -0700 (PDT)
Received: by lists.tislabs.com (8.9.1/8.9.1) id UAA16754 Mon, 17 Jul 2000 20:14:38 -0400 (EDT)
Message-Id: <200007180019.RAA23028@potassium.network-alchemy.com>
To: Henry Spencer <henry@spsystems.net>
cc: Andrew Krywaniuk <andrew.krywaniuk@alcatel.com>, hugh@mimosa.com, 'Tim Jenkins' <TJenkins@Catena.com>, 'IPsec List' <ipsec@lists.tislabs.com>, 'Hugh Daniel' <hugh@toad.com>, 'John Gilmore' <gnu@toad.com>
Subject: Re: problems with draft-jenkins-ipsec-rekeying-06.txt
In-reply-to: Your message of "Mon, 17 Jul 2000 18:36:03 EDT." <Pine.BSI.3.91.1000717181505.18264I-100000@spsystems.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <23025.963879579.1@network-alchemy.com>
Date: Mon, 17 Jul 2000 17:19:39 -0700
From: Dan Harkins <dharkins@cips.nokia.com>
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
Yes, technical merit should guide resolution but it helps to have the problem laid out first. This whole thing started with your proposal that was a "better approach to certain parts of the rekeying problem" that draft-jenkins-ipsec-rekeying-06.txt addressed. That draft addresses _lots_ of issues. What certain parts are you resolving? The responder pre-set-up problem, which is what you seem to be focusing on, is solved by using a CONNECTED notify. There is no "security hole" associated with this. There is only potential for a DoS attack. Nowhere in your proposal does it even discuss a DoS attack. So what is it you're solving? If the problem space has moved then let's take a step back and redefine what it is we're discussing. Maybe an even more *superior* solution would be what David Faucher proposed: just make the MID a monotonically increasing counter and don't accept anything <= the currently authenticated MID. But this requires agreeing on what the problem is that the solution proposes to solve. Dan. On Mon, 17 Jul 2000 18:36:03 EDT you wrote > > Moreover, I think this has slightly missed our point. We are not just > arguing that there is a different interpretation possible here, or that it > is the preferred interpretation in the absence of supplementary folklore > (although we do make both those claims). > > We contend that our interpretation is *superior*. It improves the > protocol's robustness, and permits solving certain vexing problems in a > much simpler way than Tim Jenkins proposes, and does this (as verified by > both analysis and practical experience) without introducing significant > implementation difficulties or interoperability problems. > > The primary criterion for choice when resolving ambiguities should be > technical merit, not closeness to the original intent. > > Henry Spencer > henry@spsystems.net >
- problems with draft-jenkins-ipsec-rekeying-06.txt D. Hugh Redelmeier
- RE: problems with draft-jenkins-ipsec-rekeying-06… Tim Jenkins
- procedural RE: problems with draft-jenkins-ipsec-… Henry Spencer
- RE: problems with draft-jenkins-ipsec-rekeying-06… D. Hugh Redelmeier
- Re: procedural RE: problems with draft-jenkins-ip… Paul Koning
- RE: problems with draft-jenkins-ipsec-rekeying-06… Andrew Krywaniuk
- RE: problems with draft-jenkins-ipsec-rekeying-06… Mason, David
- Re: problems with draft-jenkins-ipsec-rekeying-06… Dan Harkins
- Re: problems with draft-jenkins-ipsec-rekeying-06… Dan Harkins
- RE: problems with draft-jenkins-ipsec-rekeying-06… D. Hugh Redelmeier
- RE: problems with draft-jenkins-ipsec-rekeying-06… Andrew Krywaniuk
- RE: problems with draft-jenkins-ipsec-rekeying-06… Henry Spencer
- Re: problems with draft-jenkins-ipsec-rekeying-06… Dan Harkins
- RE: problems with draft-jenkins-ipsec-rekeying-06… andrew.krywaniuk
- RE: problems with draft-jenkins-ipsec-rekeying-06… Henry Spencer
- RE: problems with draft-jenkins-ipsec-rekeying-06… Paul Koning
- RE: problems with draft-jenkins-ipsec-rekeying-06… Andrew Krywaniuk
- RE: problems with draft-jenkins-ipsec-rekeying-06… andrew.krywaniuk
- RE: problems with draft-jenkins-ipsec-rekeying-06… Paul Koning
- RE: problems with draft-jenkins-ipsec-rekeying-06… D. Hugh Redelmeier
- RE: problems with draft-jenkins-ipsec-rekeying-06… Andrew Krywaniuk