Re: [secdir] secdir review of draft-ietf-mext-aero-reqs8

[Stephen Kent <kent@bbn.com>]

At 3:48 PM -0700 8/21/09, Davis, Terry L wrote:
>Sam
>
>One of the items that continues to seriously concern me across the 
>whole IP protocol RFC set is the basic lack of simple 
>vendor-to-vendor IP security interoperability!  All of NEMO and MEXT 
>assumes that simple, easy to implement, IPSec, PKI, and IKE 
>interoperability exist; they do NOT.

Terry,

IPsec (not IPSec :-)) and IKE have been available in major host 
operating systems for a few years, so the phrase "easy to implement" 
is not generally a true assertion.  Are you stating that the aviation 
industry needs to implement its own versions of these and analogous 
Interent protocols? Also, as for interoperability, I believe Paul 
Hoffman has reported a number of good results through his VPNC 
testing experiences.

As for PKI, there are relying party implementations in all browsers, 
and in some OSes, and OpenSSL.  The browsers interoperate with web 
servers (using SSL) developed by a few different vendors, which is a 
decent demo of interoperability for core PKI features. OpenCA and 
OpenSSL are decent (not perfect) examples of open source software for 
both RP and CA functions.

Later you seem to be arguing that a single PKI (vs. IETF PKI and 
IPsec/IKE standards) is an essential feature for IPsec solutions. 
This is clearly not true in general. Is this another situation where 
aviation is "special?"

I will not disagree with your assertion that many of the Ipsec/IKE 
and PKI products have hard to configure admin interfaces. But, that 
is an issue outside the scope of IETF standards. Also, I would 
observe that the typical CLI for a router is not an easy to use 
interface either.


Steve