W3C home > Mailing lists > Public > ietf-discuss@w3.org > May 2001

Re: Discussion of an app-layer API for IPsec

From: <ned.freed@mrochek.com>
Date: Mon, 14 May 2001 15:17:38 -0700 (PDT)
To: Paul Hoffman / IMC <phoffman@imc.org>
Cc: Alexey Melnikov <mel@messagingdirect.com>, Keith Moore <moore@cs.utk.edu>, discuss@apps.ietf.org
Message-id: <01K3K63SVX38003185@mauve.mrochek.com>
> At 2:30 AM -0600 5/14/01, Alexey Melnikov wrote:
> >Keith Moore wrote:
> >
> >>  I basically think that IPsec is nearly useless without an application-layer
> >>  API, but the API needs to not only make applications aware of whether
> >>  a security association has been established (along with the credentials
> >>  so that the application can evaluate them for itself) but also allow
> >>  the application to control the credentials that are used when establishing
> >>  SAs.
> >
> >And one possible use of this is API is for EXTERNAL SASL mechanism,
> >implemented
> >on top of IPSec.

> This makes a lot of sense. Is anyone here in the Apps Area
> interesting in really persuing it? If not, I don't expect it to move
> forwards. There are only two or three people in the IPsec area who
> expressed any interest in doing the real work (Bill Sommerfeld and
> Steve Bellovin).

The main problem with application use of IPSec is that it crosses the
application/OS boundary. Crossing such boundaries is tricky -- it places
additional constraints on vendors, release schedules, and so on.

Remember, applications already have TLS/SSL. And while TLS/SSL has many
disadvantages in terms of performance, applicability to UDP, and so on, it has
one truly overwhelming advantage: It is entirely within the application's
control. Application developers spend a lot of their time working around OS
differences, bugs, and other issues, and are underwhelmed by the prospect of
additional issues in this area.

Unless IPSec has a really good story to tell appliccations about the advantages
that will accrue from its use as well as some indication that it will actually
deploy in a fashion that's usable by applications, I despair of getting
applications people fired up about it.

				Ned
Received on Monday, 14 May 2001 19:07:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 23 March 2006 20:11:28 GMT