Re: [Ipsec] Results of the Straw Poll re: Fragmentation handling

To: "Theodore Ts'o" <tytso at mit.edu>
Subject: Re: [Ipsec] Results of the Straw Poll re: Fragmentation handling
From: "Scott G. Kelly" <scott at airespace.com>
Date: Thu, 03 Jun 2004 09:51:29 -0700
Cc: ipsec at ietf.org
In-reply-to: <E1BVaoD-0001ap-RK@thunk.org>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: IP Security <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
Organization: Airespace
References: <E1BVaoD-0001ap-RK@thunk.org>
Sender: ipsec-bounces at ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

Hi Ted,

I'm a little surprised at your assessment of my position on question
#2, so I think I must have been unclear.  Here's your summary:

Scott G. Kelly

> 1.  SHOULD/MUST (for 3 only)
> 2.  MUST NOT
> 3.  SHOULD

Here's what I said for #2:

NONE of the above - why even mention this? I doubt there are many
100% compliant implementations for the first round of ipsec, and find
it highly unlikely that this will change. Implementations that don't
care about fragment security probably don't care about port/protocol
differentiation. The two seem incompatible and unlikely. I can't
believe we've wasted so much time/energy on this.

I'm sorry that this was unclear. What I meant to say was, why even mention this in the draft at all - why make it an option? I guess my point was that if folks want to implement special handling for special cases, history has demonstrated that they will do so whether they have special dispensation or not. It may not make sense to complicate the spec for (what I perceive to be) a very small minority of implementations.

That's not a clear selection of one of the terms you asked for, but it's definitely not a MUST NOT. I guess I should have used the RFC2119 language, in which case I might say "SHOULD NOT", meaning someone that really knows what they are doing might have justification, but this should not be casually undertaken. I think the current draft rev gives cautions for ipv6, but we might want similar cautions for ipv4.

The primary assumption underlying a fragment-only SA is that the other end can be trusted to only put allowable data into the tunnel. Sometimes this assumption is justified, but this is certainly not always the case. Hence, this assumption must be evaluated prior to implementing a fragment-only tunnel.

As an aside, I wonder if anyone requiring such a thing in practice wouldn't be better off to simply "tunnel-all" over a single SA pair.

--Scott

Theodore Ts'o wrote:

The results of the straw poll indicated that out of 16 responses, roughly twice as many contributors (11) preferred that Methods #2 and #3 be a MAY implement, over thouse who preferred that at least one of Methods #2 and #3 be a SHOULD or a MUST (5).

There was also a somewhat surprising number (albeit a minority) who
registered a strong dislike of Method #2 --- four or five respondents
indicated that they thought Method #2 should be a MUST NOT.

Hence, it seems that we have a rough consensus within the working
group that both Method #2 and #3 should both be MAY.  To accomodate
those who dislike Method #2, I would propose that if we can get
someone from that camp to write a paragraph detailing their
objections to mixing non-initial fragments when initial fragments are
not mixed, it would seem to me reasonable to record the minority
dissent in the architecture specification.

- Ted


Yoav Nir 1.  MAY / MAY 2.  MAY 3.  MAY

Tero Kivnen 1.  SHOULD/MUST 2.  MAY 3.  SHOULD

Scott G. Kelly 1.  SHOULD/MUST (for 3 only) 2.  MUST NOT 3.  SHOULD

Michael Roe 1.  MAY / MAY 2.  MAY 3.  MAY

Yougui Cheng 1.  MAY / MAY 2.  SHOULD NOT 3.  MAY

Mark Duffy 1.  MAY / MAY 2.  MAY 3.  MAY

Niklas Hallqvist 1.  MAY / MAY 2.  MAY 3.  MAY

Srini 1.  SHOULD / MUST 2.  MAY 3.  SHOULD

Satoshi Inoue 1.  MAY /  MAY 2.  MAY 3.  MAY

Valery Smyslov 1.  SHOULD / MUST 2.  MAY 3.  SHOULD

Paul Hoffman 1.  MAY / MAY 2.  MAY 3.  MAY

Bora Akyol 1.  MAY  / MAY 2.  MAY 3.  MAY

Joe Tardo 1.  SHOULD / MUST (3 should be MUST) 2.  MAY 3.  SHOULD

Markku Savela 1.  MAY / MAY 2.  MUST NOT 3.  MAY


Mika Joutsenvirta 1.  MAY / MAY 2.  MAY 3.  MAY

Joe Touch 1.  MAY / MAY (2 MUST NOT) 2.  MUST NOT 3.  MAY

_______________________________________________ Ipsec mailing list Ipsec at ietf.org https://www1.ietf.org/mailman/listinfo/ipsec

_______________________________________________
Ipsec mailing list
Ipsec at ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [Ipsec] Results of the Straw Poll re: Fragmentation handling
  - From: Joe Touch

References:
- [Ipsec] Results of the Straw Poll re: Fragmentation handling
  - From: Theodore Ts'o

Prev by Date: [Ipsec] Your information
Next by Date: [Ipsec] Re: Low cost meds - Shipped overnight
Previous by thread: [Ipsec] Results of the Straw Poll re: Fragmentation handling
Next by thread: Re: [Ipsec] Results of the Straw Poll re: Fragmentation handling
Index(es):
- Date
- Thread

Re: [Ipsec] Results of the Straw Poll re: Fragmentation handling

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.