Thomas, all, On Wednesday 27 February 2008, Thomas Narten wrote: > Tony, > > > For those that have forgotten, the entire reason for mandating > > IPsec is to get away from the 47 flavors of security that are never > > really configured correctly or completely understood. Yes for any > > given situation someone can design an optimized protocol, but as > > soon as the situation changes the optimization no longer applies, > > and may expose unexpected holes. This was in fact happening at the > > time the mandate was put in. > > Right. Having one way to do things is far better than having 47. > > But if we look at the reality of things, IPsec (and we have to > include IKE in evaluating this), IPsec just isn't the ideal > one-size-fits-all technology we'd like it to be. > > For example, one big problem is the lack of a proper API for > applications to communicate with IPsec to select services and verify > that a certain level of security is present.
Would that be the major showstopper in using IPsec for other things than VPNs, the IETF has chartered the BTNS WG to work on APIs to communicate with IPsec. The WG currently has two documents that need reviews: http://tools.ietf.org/wg/btns/draft-ietf-btns-abstract-api/ http://tools.ietf.org/wg/btns/draft-ietf-btns-c-api/ > Second, good security says "don't trust anyone but yourself". So, do > you trust the OS you are running on? If someone cares about security but doesn't trust the OS he's running on, I think the best thing he can do is to not use the OS in question. > Do you trust the IPsec embedded in the system that was implemented by > a third party? Keeping IPsec mandatory would be one facilitator of the move from IPsec implementation from third party to native IPsec implementation shipped with the OS that has to be trusted. > Smart applications implement their own security (e.g., TLS) to ease > deployment. How many applications really implement their *own* security? Many applications I'm using daily relies on libraries shipped with the OS that has to be trusted, e.g. gnutls and openssl. > We'll never get them to rely on IPsec, at least not until its much > more widely available/useable. Agree. But I think the availability part can be helped by keeping IPsec mandatory (so that it gets in more and more OS's), while the usability part can be helped by getting the BTNS WG to deliver its APIs (so that applications can finally start using IPsec). --julien -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
