>>>>> "Tero" == Tero Kivinen <kivinen at iki.fi> writes:
Tero> Anyways, there has been multiple vendors who have managed to
Tero> make internoperable implementations of the IPsec, so I think
Tero> that proves that the documents are matching the requirements
Tero> set by the IETF.
I agree that RFC 4301 matches the requirements of the IPsec working
group. However while we've had multiple interoperable
implementations, I cannot say we've had reasonable success within the
IETF at describing the security of higher level protocols in terms of
RFC 2401 or 4301. I think this is a new requirement.
I don't think this indicates a bug in 4301 or 2401. I think it simply
means we have new work to do. My personal view on that ork is that we
need to specify a model that is more useful to protocol designers but
that can be implemented in terms of 4301. I.E. we don't make changes
to 4301, but we provide a conceptual model. We may end up saying that
features optional in 4301 (such as multiple SPDs and an SPD selection
function that considers source interfaces) are required for
implementations used to secure higher layer protocols.
I guess it is always possible we would find bugs in 4301 while working
on that effort. I don't think it is particularly more likely than
with any other specification effort.
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.