[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [saag] IPsec spec problems

From: Tero Kivinen <kivinen at iki.fi>
To: Pekka Savola <pekkas at netcore.fi>
Cc: saag at mit.edu, Sam Hartman <hartmans-ietf at mit.edu>, Jari Arkko <jari.arkko at piuha.net>
Date: Fri, 28 Apr 2006 11:54:19 +0300
In-reply-to: <Pine.LNX.4.64.0604271744590.5590 at netcore.fi>
References: <7.0.0.16.2.20060420095609.06191b18 at vigilsec.com> <p06230905c06d4928d1b1 at [10.1.38.141]> <tslbquta41m.fsf at cz.mit.edu> <444DD2AB.2070606 at piuha.net> <tslfyk2geix.fsf at cz.mit.edu> <17486.1608.716952.420411 at fireball.kivinen.iki.fi> <Pine.LNX.4.64.0604251534480.1997 at netcore.fi> <17486.8859.889057.470740 at fireball.kivinen.iki.fi> <Pine.LNX.4.64.0604271744590.5590 at netcore.fi>

Pekka Savola writes:
> >   The model described below is nominal; implementations need not
> >   match details of this model as presented, but the external behavior
> >   of implementations MUST correspond to the externally observable
> >   characteristics of this model in order to be compliant.
> 
> That's nice -- unfortunately, unless the motivation of IPsec folks was 
> to make it more difficult to create new (competing) implementations, 
> leaving out important details on what the spec actually means and 
> what's the best way to implement things may be an issue.

I do not think it is IETFs work to design software architecture for
the implementations. The current specification is high level enough
that vendors can do software architecture in multiple different ways,
but can still be compatible with the IPsec architecture document. For
example in our implementations the old IPsec Express toolkit and the
newer Quicksec toolkit used completely different software
architecture. Neither one of those used the exact model described in
the architecture draft, but both of them should be compatible with it,
i.e. matching the external behavior of the architecture document.
Those two toolkits were designed for quite different scenarios in mind
so that do affect the high level architecture, although both of them
can also be used to do the same basic things described in the IPsec
architecture.

If the architecture document would go in to more detailed level, then
doing those kind different software architectures would be harder and
harder.

Anyways, there has been multiple vendors who have managed to make
internoperable implementations of the IPsec, so I think that proves
that the documents are matching the requirements set by the IETF.

At least I think that IETFs job is not to provide detailed software
architectures how to implement things, but to provide good enough
documentation that people can implement interoperable implementations
of the protocols.

The issues in the interoperability meetings have mostly been in the
bits on the wire level or just normal software bugs, I do not think
there have been that many problems in the architecture issues there.
Of course testing there has mostly concentrated on the bits on the
wire, not to the architecture...
-- 
kivinen at safenet-inc.com

Follow-Ups:
- Re: [saag] IPsec spec problems
  - From: Sam Hartman

References:
- [saag] Fwd: draft-bonica-tcp-auth
  - From: Russ Housley
- Re: [saag] Fwd: draft-bonica-tcp-auth
  - From: Stephen Kent
- Re: [saag] Fwd: draft-bonica-tcp-auth
  - From: Sam Hartman
- Re: [saag] Fwd: draft-bonica-tcp-auth
  - From: Jari Arkko
- Re: [saag] Fwd: draft-bonica-tcp-auth
  - From: Sam Hartman
- Re: [saag] Fwd: draft-bonica-tcp-auth
  - From: Tero Kivinen
- [saag] IPsec spec problems
  - From: Pekka Savola
- [saag] IPsec spec problems
  - From: Tero Kivinen
- Re: [saag] IPsec spec problems
  - From: Pekka Savola

Prev by Date: Re: [saag] IPsec spec problems
Next by Date: Re: [saag] IPsec spec problems
Previous by thread: Re: [saag] IPsec spec problems
Next by thread: Re: [saag] IPsec spec problems
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.