Hi, Tom,
On 11/29/2016 12:56 PM, Tom Herbert wrote: > On Tue, Nov 29, 2016 at 12:04 PM, Joe Touch <[email protected]> wrote: >> Hi Brian, >> >> >> On 11/29/2016 11:43 AM, Brian E Carpenter wrote: >> >> >>>>> I also don't really understand >>>>> the security model. There is some discussion of IPsec tunnels and RFC3884. >>>>> If we use IPsec tunnels, why would we need DTLS? For that matter, if we >>>>> use >>>>> TLS tunnels, why would we need DTLS? >>>> TLS is a very bad idea. We should never try to tunnel IP over TCP. >>> I agree it's a terrible idea, but pragmatically situations can arrive where >>> it's >>> the only real option. >> Sure, but it's bad enough to try to avoid if there are other alternatives. >> > This is why we like DTLS as opposed to IPsec, to the network this just > looks like UDP which presumably is more palatable to some network > devices. Those devices might support "network connectivity", but they are NOT the Internet. The Internet is supposed to be agnostic to IP packet contents. Further, IPsec over UDP also exists (RFC3948). > DTLS can also be implemented by an application (e.g. in > userspace). So can IPsec over UDP. > GUE with DTLS is nice because we can have both an > extensible encapsulation header that might read readable by the > network as well as a secured payload. There are many tunnels that have extensible headers. Additionally, IPsec can protect the tunnel header whereas DTLS cannot. However, I agree that there are many solutions. > >>>> DTLS might be available where IPsec isn't. >>> If that is the case, it needs to be explained in more detail in the draft. >> Agreed. >> >>> Anyway it needs to be a clear choice: IPsec or DTLS, but not both. >>> (This is a point that has also come up in the Anima WG, as it happens.) >> Agreed as well. >> > I'm not sure I understand why this is a binary choice. The draft isn't > requiring any particular tunnel encapsulation and so security isn't be > required (might depend on encapsulation). Or does this mean that we > want to avoid using DTLS or TLS simultaneously on the same packets? > (which does some like a bad idea...) I think Brian was saying there might be little benefit to using both IPsec and DTLS on the same packet, but I also think we're all in agreement here. Joe _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
