Re: Discussion of an app-layer API for IPsec

> At 2:30 AM -0600 5/14/01, Alexey Melnikov wrote:
> >Keith Moore wrote:
> >
> >>  I basically think that IPsec is nearly useless without an application-layer
> >>  API, but the API needs to not only make applications aware of whether
> >>  a security association has been established (along with the credentials
> >>  so that the application can evaluate them for itself) but also allow
> >>  the application to control the credentials that are used when establishing
> >>  SAs.
> >
> >And one possible use of this is API is for EXTERNAL SASL mechanism,
> >implemented
> >on top of IPSec.

> This makes a lot of sense. Is anyone here in the Apps Area
> interesting in really persuing it? If not, I don't expect it to move
> forwards. There are only two or three people in the IPsec area who
> expressed any interest in doing the real work (Bill Sommerfeld and
> Steve Bellovin).

The main problem with application use of IPSec is that it crosses the
application/OS boundary. Crossing such boundaries is tricky -- it places
additional constraints on vendors, release schedules, and so on.

Remember, applications already have TLS/SSL. And while TLS/SSL has many
disadvantages in terms of performance, applicability to UDP, and so on, it has
one truly overwhelming advantage: It is entirely within the application's
control. Application developers spend a lot of their time working around OS
differences, bugs, and other issues, and are underwhelmed by the prospect of
additional issues in this area.

Unless IPSec has a really good story to tell appliccations about the advantages
that will accrue from its use as well as some indication that it will actually
deploy in a fashion that's usable by applications, I despair of getting
applications people fired up about it.


Received on Monday, 14 May 2001 19:07:58 UTC