SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    Adaptec and Transport Mode



    > Dear IPS Chair,
    
    Since this was apparently addressed to me, I guess I need to respond.
    Let me start with the area of agreement.
    
    -- Scope of IPS security specifications
    
    >   A. Prime Directive: IPS Security MUST be implemented. It should be
    > 		"end-to-end".
    > 
    >       Why? Jeffery Schillers
    > http://www.ietf.org/internet-drafts/draft-ietf-saag-whyenc-00.txt
    
    FWIW, it is my understanding is that this draft did not make it through
    IETF Last Call.  I'm expecting significant revisions to it that will
    hopefully lend more clarity to discussions such as this one.
    
    >   Implications : 1) Anything less than end-to-end is outside 
    > 				the scope of IPS security, hence should not
    be
    > 				specified by this WG. In fact, it is
    orthogonal.
    >                       Ideally, one ought to implement "additional"
    > 				nested tunnel for VPN, firewall etc. over
    and
    > 				above end-to-end.
    >                   2) It is fair game to implement less than end-to-end
    > 				(firewall, gateway etc.) in lieu of
    end-to-end,
    >				if their customers are happy with it. There
    is 
    >                       no need to claim compliance with "IPS security"
    >				in that case. The WG should not encourage
    this
    >				usage, if it still believes in the above
    "prime
    >				directive".
    
    I agree with these implications, although I would have used "in
    addition to" instead of "in lieu of" in the second one and omitted
    its last sentence, as there's nothing wrong with firewalls, gateways,
    etc.  As Bernard Aboba has already posted, this was discussed in
    Minneapolis, and the next revision of the IPS Security draft will
    contain text to make this set of issues clearer.
    
    Moving on to the areas of disagreement ...
    
    -- RFC 2401 transport mode requirements
    
    Shridhar started from RFC 2401 and somehow came up with a "SHOULD
    use transport" recommendation when two hosts are communicating.
    That is incorrect - not only does RFC 2401 not contain any such
    recommendation , but it contains the following (Section 4.1, p.9):
    
    	Two hosts MAY establish a tunnel mode SA between themselves.
    
    As those terms defined by RFC 2119, this "MAY" is inconsistent with
    "SHOULD use transport" between two hosts.  Please read the RFCs
    *before* undertaking to lecture the WG on their contents.
    
    -- Technical arguments for tunnel mode
    
    >   From my understanding, all the technical arguments "for" TUNNEL
    > 	have been addressed and all shot down,
    
    I believe that to be incorrect.  I have never seen a refutation of
    the technical argument that there are advantages to being able to reuse
    existing IPsec implementations that do not do transport mode well (e.g.,
    IPsec security gateway implementations).  
    
    >   Without getting into implementation details, as an implementer of
    > multi-Gig silicon, I can assure you that implementing security gateway
    > is a very expensive problem compared to end-point security which can be
    > implemented as part of a highly integrated silicon.
    
    That is a misleading exercise in strawman demolition.  Tunnel mode can
    be implemented as part of end-point security, as RFC 2401 requires hosts
    to support tunnel mode.  There is no text in any of the IPS drafts that
    REQUIRES a security gateway implementation.
    
    -- Analysis and Disposition of Request
    
    In the absence of WG rough consensus, Shridhar is asking that the
    WG chairs and/or others force the IPS WG to adopt some form of
    a "MUST implement" requirement for transport mode.  RFC 2119
    defines MUST as follows:
    
      1. MUST   This word, or the terms "REQUIRED" or "SHALL", mean that
         the definition is an absolute requirement of the specification.
    
    and goes on to say:
    
      6. Guidance in the use of these Imperatives
    
         Imperatives of the type defined in this memo must be used with care
         and sparingly.  In particular, they MUST only be used where it is
         actually required for interoperation or to limit behavior which has
         potential for causing harm (e.g., limiting retransmisssions)  For
         example, they must not be used to try to impose a particular method
         on implementors where the method is not required for
         interoperability.
    
    So, we are looking for an "absolute requirement" "for interoperation or
    to limit behavior which has potential to cause ham (e.g., limiting
    retransmissions)."
    
    One of Shridhar's Adaptec colleagues tried to make the argument that
    transport mode is required for interoperation (i.e., that omitting it
    will cause interoperability problems) and was "shot down" in Minneapolis
    on the basis that IKE handles this negotiation (see SA Attribute 4 in
    Section 4.5 of RFC 2407).  That leaves "limit behavior which has
    potential for causing harm".  If it were extraordinarily difficult or
    impossible to use tunnel mode for end-to-end security, or to configure
    it for such use, the resulting inability to use and/or barriers to the
    use of end-to-end security could fall into that category, but Shridhar
    says:
    
    >   I am not saying that tunnel can not be used for end-to-end.
    
    In other words (taking out the double negative), tunnel mode can
    be used for end to end security.  Discussion on the list has confirmed
    that not only does RFC 2401 permit this, but it actually works in
    practice ("running code", what a concept ...).
    
    Since Shridhar's request is contrary to RFC 2119, it is hereby DENIED,
    especially as it appears to "try to impose a particular method on
    implementors where the method is not required for interoperability"
    which is forbidden by RFC 2119.
    
    Shridhar also mentions the performance difference between tunnel and
    transport mode - the current rough consensus on the list is that this
    difference merits discussion and a lower-case "should" for transport
    mode when an implementor considers performance to be an important
    consideration.
    
    -- Ulterior Motives
    
    Since Shridhar has chosen to speculate on the motives of others ...
    
    >   Regarding consensus ..., is it possible that most of the "tunnel"
    >	enthusiasts 
    >   a) do not want to see security as part of IPS anyway, and/or
    >   b) want security, but not end-to-end.
    
    ... I find it necessary to report to the WG that in a heated hallway
    discussion prior to the Tuesday meeting of the IP Storage WG in
    Minneapolis, some of Shridhar's Adaptec colleagues made it clear to
    me in no uncertain terms that the change to "MAY implement transport
    mode" would cause a major product cost increase for Adaptec.  I will
    leave it to others to draw their own conclusions ...
    
    -- Conclusion
    
    The request to impose a "MUST implement transport mode" requirement
    in the absence of WG rough consensus is hereby DENIED.  This issue
    needs to stay closed if people want these drafts to make it
    through WG last call before Yokohama.
    
    Thanks,
    --David
    ---------------------------------------------------
    David L. Black, Senior Technologist
    EMC Corporation, 42 South St., Hopkinton, MA  01748
    +1 (508) 249-6449 *NEW*      FAX: +1 (508) 497-8500
    black_david@emc.com         Cell: +1 (978) 394-7754
    ---------------------------------------------------
    


Home

Last updated: Fri Apr 12 16:18:20 2002
9636 messages in chronological order