- From: <ned.freed@mrochek.com>
- Date: Mon, 14 May 2001 15:17:38 -0700 (PDT)
- To: Paul Hoffman / IMC <phoffman@imc.org>
- Cc: Alexey Melnikov <mel@messagingdirect.com>, Keith Moore <moore@cs.utk.edu>, discuss@apps.ietf.org
> At 2:30 AM -0600 5/14/01, Alexey Melnikov wrote: > >Keith Moore wrote: > > > >> I basically think that IPsec is nearly useless without an application-layer > >> API, but the API needs to not only make applications aware of whether > >> a security association has been established (along with the credentials > >> so that the application can evaluate them for itself) but also allow > >> the application to control the credentials that are used when establishing > >> SAs. > > > >And one possible use of this is API is for EXTERNAL SASL mechanism, > >implemented > >on top of IPSec. > This makes a lot of sense. Is anyone here in the Apps Area > interesting in really persuing it? If not, I don't expect it to move > forwards. There are only two or three people in the IPsec area who > expressed any interest in doing the real work (Bill Sommerfeld and > Steve Bellovin). The main problem with application use of IPSec is that it crosses the application/OS boundary. Crossing such boundaries is tricky -- it places additional constraints on vendors, release schedules, and so on. Remember, applications already have TLS/SSL. And while TLS/SSL has many disadvantages in terms of performance, applicability to UDP, and so on, it has one truly overwhelming advantage: It is entirely within the application's control. Application developers spend a lot of their time working around OS differences, bugs, and other issues, and are underwhelmed by the prospect of additional issues in this area. Unless IPSec has a really good story to tell appliccations about the advantages that will accrue from its use as well as some indication that it will actually deploy in a fashion that's usable by applications, I despair of getting applications people fired up about it. Ned
Received on Monday, 14 May 2001 19:07:58 UTC