[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-tschofenig-v6ops-secure-tunnels-03.txt

To: Alain Durand <Alain.Durand@Sun.COM>
Subject: Re: draft-tschofenig-v6ops-secure-tunnels-03.txt
From: Pekka Savola <pekkas@netcore.fi>
Date: Fri, 14 Jan 2005 16:08:34 +0200 (EET)
Cc: v6ops@ops.ietf.org
In-reply-to: <1A40D58C-662D-11D9-A440-00039358A080@sun.com>
References: <Pine.LNX.4.61.0412202320560.4390@netcore.fi> <1104760395.4819.244.camel@essrv103nok154154.ntc.nokia.com> <Pine.LNX.4.61.0501141329010.25536@netcore.fi> <1A40D58C-662D-11D9-A440-00039358A080@sun.com>

On Fri, 14 Jan 2005, Alain Durand wrote:

Well, I'm not a security expert, far from that, so I'm not sure I can comment on the quality of the security assertions. However, at fist glance, it seems that this is a tutorial on ikev1 & ikev2 in the context of IPv6... I other words, it is unclear to me why we need this document in v6Ops and why it is not homed in a security related wg IF there is a need for such a document.

Please take a bit closer look; it's not just a tutorial on IKE with IPv6, it describes how to use IKE and IPsec to set up IPv6-in-IPv4 tunnels.

The background here is that:

 1) trans-mech RFC basically said, "use IPsec if you need security";
    this is no longer considered sufficient, and it is required to
    describe how exactly you use IPsec if you propose to use it.

 2) draft-ietf-v6ops-mech-v2 was revised to just say, "we describe the
    use of IPsec for v6-in-v4 tunnels in another document" [this one].

 3) Steve Bellovin, while he was security AD, requested
    description of IPsec usage (or this document) at his review of
    draft-ietf-mech-v2-xx; he wouldn't want to let draft-ietf-mech-v2
    go forward to the RFC editor's queue before this is done, so
    draft-ietf-v6ops-mech-v2 has been practically stalled from
    completion for the last 4 months or so.

Moreover,

 - it is the responsibility of the WG producing a protocol to document
   how its security works, not the security area (i.e., the security
   area does not have the responsibility to document how to use IPsec
   to secure v6-in-v4 configured tunnels)

 - I suggested that this work could also be done as an individual
   submission to Steve (while he was still AD), but he thought v6ops
   was a better idea <g>.

So, there is quite a bit of history why this document came to be, and why it has been proposed in v6ops, not somewhere else.

However, it may not have been clear enough why exactly it _seems_ that there is no other option than to do it here.

Does this change your view on the document? Any comments from the others?

--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Follow-Ups:
- Re: draft-tschofenig-v6ops-secure-tunnels-03.txt
  - From: Alain Durand <Alain.Durand@Sun.COM>

References:
- Interest to have as an WG item: draft-tschofenig-v6ops-secure-tunnels-03.txt
  - From: "Soininen Jonne (Nokia-NET/Helsinki)" <jonne.soininen@nokia.com>
- Re: Interest to have as an WG item: draft-tschofenig-v6ops-secure-tunnels-03.txt
  - From: Pekka Savola <pekkas@netcore.fi>
- Re: Interest to have as an WG item: draft-tschofenig-v6ops-secure-tunnels-03.txt
  - From: Alain Durand <Alain.Durand@Sun.COM>

Prev by Date: Re: Interest to have as an WG item: draft-tschofenig-v6ops-secure-tunnels-03.txt
Next by Date: Re: draft-tschofenig-v6ops-secure-tunnels-03.txt
Previous by thread: Re: Interest to have as an WG item: draft-tschofenig-v6ops-secure-tunnels-03.txt
Next by thread: Re: draft-tschofenig-v6ops-secure-tunnels-03.txt
Index(es):
- Date
- Thread