Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
"Howard C. Berkowitz" <hcb@clark.net> Tue, 31 March 1998 20:10 UTC
Delivery-Date: Tue, 31 Mar 1998 15:12:52 -0500
Return-Path: cclark
Received: (from adm@localhost) by ns.ietf.org (8.8.5/8.8.7a) id PAA06838 for ietf-outbound.10@ietf.org; Tue, 31 Mar 1998 15:10:02 -0500 (EST)
Received: from mail0.tor.acc.ca (mail0.tor.acc.ca [204.92.54.110]) by ns.ietf.org (8.8.5/8.8.7a) with ESMTP id PAA06479 for <ietf@ns.ietf.org>; Tue, 31 Mar 1998 15:06:44 -0500 (EST)
Received: from [142.154.136.3] (ppp-042.m4-1.cgy.ican.net [142.154.136.42]) by mail0.tor.acc.ca (8.8.8/8.8.8) with ESMTP id PAA22073; Tue, 31 Mar 1998 15:06:17 -0500 (EST)
Date: Tue, 31 Mar 1998 15:06:17 -0500
X-Sender: hcb@pop3.clark.net
Message-Id: <v03007814b146b4041107@[142.154.136.3]>
In-Reply-To: <98Mar31.144736est.11652@janus.tor.securecomputing.com>
References: hcb's message of "Tue, 31 Mar 1998 14:07:09 -0500". <v0300780bb146a2d106bd@[142.154.136.3]> Your message of "Tue, 31 Mar 1998 09:51:59 EST." <v03007807b1466a67057e@[142.154.136.3]> <v0300780bb146a2d106bd@[142.154.136.3]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: "C. Harald Koch" <chk@utcc.utoronto.ca>
From: "Howard C. Berkowitz" <hcb@clark.net>
Subject: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Cc: perry@piermont.com, ietf@ns.ietf.org
At 14:46 -0500 3/31/98, C. Harald Koch wrote: >In message <v0300780bb146a2d106bd@[142.154.136.3]>, "Howard C. Berkowitz" >writes: >> >> Stating things more succinctly, I think the architecture document, >> specifically, does not either discuss proxy vs. end-to-end functions in the >> context of risk analysis, nor does it reference a document that does. >> There have been strong arguments about the interactions of IPsec and >> various proxy and proxy-like functions, including NAT, satellite spoofing, >> firewalls, etc. Perhaps some guidance from the IESG or IAB is in order, >> clarifying how the IETF will build consensus on the interaction of these >> security and infrastructure technologies. Specific commentary on the effect >> of widespread IPsec deployment on the demand for globally routable IPv4 >> space, under various scenarios of IPsec tunneling, should be considered. > >None of these were in the Charter for the IPsec working group. This was >deliberate; they're hard problems. I can get along with stating thing in those terms, although I would suggest that this conscious limiting doesn't come across in the architecture document. Again, my concern is that the enterprise network architect realistically is not going to go back to the charter. If things are consciously out of scope, a pointer to that would help enormously in getting deployed. Your points are well taken and my comments are meant to be supportive of the overall effort. I do in fact monitor IPsec drafts, but, I think realistically as do many others, I actively comment in only a certain subset of the WGs. If something reaches last call, and especially if it is impacting other areas of work, it seems appropriate to me to try to build consensus and clarity. That is the point of my comments, I want the work to be used. I don't want to see things happen such as people coming into NAT, etc., and saying "you can't do this because it breaks IPsec." > >Many of them are (or will be) in the Charter for the IPsecond working group, >and I'm sure we'd love to have you participate in those discussions. I'd be happy to do so, especially within my area of specialization, which is more routing and addressing. I fully recognize the need to limit the scope of work in order to get things done. > > >There's precedent for splitting work like this, after all. We're up to RIPv2, >SNMPv3, and BGPv4 right now, after all. Given the IPsecond effort is being formed, does it make sense to identify the current document as IPsec V1? Seriously, I think that would help among nonspecialists. Your comments are valid, and I hope mine are taken in the constructive way they are meant. I've killfiled Mr. Metzger. Howard
- Re: Last Call: Security Architecture for the Inte… Howard C. Berkowitz
- Re: Last Call: Security Architecture for the Inte… Howard C. Berkowitz
- Re: Last Call: Security Architecture for the Inte… C. Harald Koch
- Re: Last Call: Security Architecture for the Inte… Howard C. Berkowitz
- Re: Last Call: Security Architecture for the Inte… Robert Moskowitz