hi folks-- At the end of the wg meeting in toronto, Sharon Liu asked (as noted in the minutes):
> Can this problem be resolved in a different way? Why isn't IPsec used more
> widely?
If this isn't feasible as an option, i think it's worth explicitly
stating why we're ruling it out.
Clearly, IPsec deployment in its standard modes is excruciatingly
painful, or else it would have seen wider adoption.
But if we're talking about taking existing protocols, slimming them down
to a sane/minimal profile, and doing away with the need for strong
authentication for the baseline (opportunistic) connection, is there a
reason to avoid considering IPsec as a mechanism?
I haven't worked out the details here -- there might be an obvious
reason that we don't want a minimalist IPsec profile (e.g. would
failover when connecting to non-compatible servers introduce a lot of
latency? is there no way to consider higher-level authentication hooks?
is the fact that it is per-host instead of per-port a problem? will
middleboxes freak out?) -- but it deserves some attention and documentation.
One obvious advantage of encouraging minimalist deployment of ipsec is
that it would be useful beyond TCP itself -- i don't know if that takes
it out of scope for this WG, though.
Has anyone on this list explored the merits and costs of IPsec as a
comparison with the other proposals?
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Tcpinc mailing list [email protected] https://www.ietf.org/mailman/listinfo/tcpinc
