Re: [secdir] secdir review of draft-ietf-mext-aero-reqs8

Stephen Kent <> Tue, 25 August 2009 02:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6D4693A6E5A; Mon, 24 Aug 2009 19:10:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.389
X-Spam-Status: No, score=-2.389 tagged_above=-999 required=5 tests=[AWL=-0.017, BAYES_00=-2.599, SARE_SUB_OBFU_Q1=0.227]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eFdfmp7szVG6; Mon, 24 Aug 2009 19:10:24 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A7D643A6963; Mon, 24 Aug 2009 19:10:24 -0700 (PDT)
Received: from ([] helo=[]) by with esmtp (Exim 4.60) (envelope-from <>) id 1MfkYN-0006Eg-Fo; Mon, 24 Aug 2009 21:10:28 -0400
Mime-Version: 1.0
Message-Id: <p06240808c6b8f2972618@[]>
In-Reply-To: <>
References: <> <>
Date: Mon, 24 Aug 2009 22:10:28 -0400
To: "Davis, Terry L" <>
From: Stephen Kent <>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: "" <>, "" <>, 'Sam Hartman' <>, "" <>, "" <>, "" <>, "'Ivancic, William D. (GRC-RHN0)'" <>
Subject: Re: [secdir] secdir review of draft-ietf-mext-aero-reqs8
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 25 Aug 2009 02:10:25 -0000

At 3:48 PM -0700 8/21/09, Davis, Terry L wrote:
>One of the items that continues to seriously concern me across the 
>whole IP protocol RFC set is the basic lack of simple 
>vendor-to-vendor IP security interoperability!  All of NEMO and MEXT 
>assumes that simple, easy to implement, IPSec, PKI, and IKE 
>interoperability exist; they do NOT.


IPsec (not IPSec :-)) and IKE have been available in major host 
operating systems for a few years, so the phrase "easy to implement" 
is not generally a true assertion.  Are you stating that the aviation 
industry needs to implement its own versions of these and analogous 
Interent protocols? Also, as for interoperability, I believe Paul 
Hoffman has reported a number of good results through his VPNC 
testing experiences.

As for PKI, there are relying party implementations in all browsers, 
and in some OSes, and OpenSSL.  The browsers interoperate with web 
servers (using SSL) developed by a few different vendors, which is a 
decent demo of interoperability for core PKI features. OpenCA and 
OpenSSL are decent (not perfect) examples of open source software for 
both RP and CA functions.

Later you seem to be arguing that a single PKI (vs. IETF PKI and 
IPsec/IKE standards) is an essential feature for IPsec solutions. 
This is clearly not true in general. Is this another situation where 
aviation is "special?"

I will not disagree with your assertion that many of the Ipsec/IKE 
and PKI products have hard to configure admin interfaces. But, that 
is an issue outside the scope of IETF standards. Also, I would 
observe that the typical CLI for a router is not an easy to use 
interface either.