Hi Paul,
sorry, I don't understand your statement. Yes, IKEv1 is popular but
(formally) obsolete. It is still our responsibility to ensure that it
doesn't gain new and insecure extensions in its old age. The way we do
it is through the normal IETF/RFC-Ed/IANA bureaucratic processes.
Unlike Tero, I don't think people will be adding non-IETF extensions of
this sort to IKEv1. New crypto algorithms, maybe. But new authentication
methods? I'd be surprised.
I'm fine with Tero's proposal to resolve this question in Paris.
Thanks,
Yaron
On 02/09/2012 08:10 PM, Paul Hoffman wrote:
On Feb 9, 2012, at 9:59 AM, Yaron Sheffer wrote:
Hi Pearl, Tero,
Regarding the first change (IPsec Auth Methods), I prefer the existing language. Even
though IKEv1 has been obsoleted, I think change control of this central piece of the
protocol needs to still require a higher bar than just "specification required".
I'm afraid my co-chair disagrees, but he can surely speak for himself...
I do, and I can. The overhead of requiring IETF and RFC Editor process for
extensions to a popular-but-obsolete protocol is not worth it. If someone
publishes a new authentication mechanism for IKEv1 that has significant flaws
(and they certainly will), they publish a new document and it gets a new
identifier. This will damp out fairly quickly, and auth mechanism developers
will get more input before publishing.
--Paul Hoffman
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
