At 12:12 PM -0700 5/4/06, Barry Greene \(bgreene\) wrote:
I appreciate your exploration of the option relative to your in-depth knowledge of Cisco implementations, but I hope you'll understand if I suggest that a broader evaluation of what is and is not viable is what is needed when we consider options for IETF standards.I'm all for more empirical work in this area - as long as IETF "standards" work keep on the path of _working_ code. And from the operator's view point, operationally deployable code. This conversation started around questions on draft-bonica-tcp-auth. You have vendors and operators documenting what have found to be operationally deployable code that will meet their needs. There is a question of what SAAG "should we say to the TCPM folks." What's next?
Barry,I apologize for not offering a more concrete suggestion. What I would suggest is a document, suitable for publication as an informational RFC, that explains the analysis that you cited and thus argues why a revised TCP MAC option is preferable to use of IPsec, in a vendor neutral fashion.
As for alignment with operator requirements, I note that when Ron briefed this I-D to RPSEC attendees, he was told by an operator that any notion of changing keys more frequently than once a year was out of the question. This was prompted by Ron's comment that he made provision for 64 keys in the list so that one could change keys every month of so, and thus one could have up to two years of keys pre-loaded and ready to access.
So, in at least this respect, it was not clear that the cited operations model matched operator perception of what is required/appropriate.
Steve
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.