Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)

"D. Hugh Redelmeier" <> Wed, 21 November 2018 16:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D3467128AFB; Wed, 21 Nov 2018 08:40:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SyAXe-v15oSQ; Wed, 21 Nov 2018 08:40:44 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AC43A130DFA; Wed, 21 Nov 2018 08:40:43 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTPS id DD2B4160153; Wed, 21 Nov 2018 11:40:42 -0500 (EST)
Date: Wed, 21 Nov 2018 11:40:42 -0500 (EST)
From: "D. Hugh Redelmeier" <>
Reply-To: "D. Hugh Redelmeier" <>
To:, The IESG <>
In-Reply-To: <25704.1542816043@localhost>
Message-ID: <>
References: <> <25704.1542816043@localhost>
User-Agent: Alpine 2.21 (LFD 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Archived-At: <>
Subject: Re: [IPsec] Warren Kumari's Discuss on draft-ietf-ipsecme-split-dns-14: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Nov 2018 16:40:46 -0000

| From: Michael Richardson <>;

| In almost all cases the VPN provider is in control of the software that is
| installed on the client system, so they can hijack paypal already.

VPN providers should not provide software to their clients.  That's a
bug and should not be encouraged by the committee.

The point of a standard is that any IPSec implementation should be
able to connect with any other IPsec implementation.  The default
provider of VPN software ought to be the provider of the OS for the
client's machine.  The client should be able to choose any conformant 
implementation.  I admit that we have failed to make interop easy
and normal, but that's where we should be heading.