[Top] [All Lists]

Re: TLS vs. IPsec (Was: Re: experiments in the ietf week)

2008-03-25 08:20:52
On 24 mrt 2008, at 18:58, Jari Arkko wrote:

Now, if we had a proposal that turned IPsec into as easily deployable
between random clients and known servers as TLS, I would be interested
in a new experiment! But I did not see a proposal for that yet. Maybe
time for that draft that Phillip suggested in another thread,

I'm afraid that won't work because of scheduling conflicts if I wanted
to present such a draft to the appropriate SEC area wg...

A quick s/TLS/IPsec/g isn't realistic, but I would certainly be
interested in seeing one or more IETF services use some kind of IPsec
protection in order to see if this is workable in practice. There are
APIs that allow applications to set this up on a per-application
basis, unless I'm mistaken.

I believe you're mistaken. There is much work that needs to be done in this
area before it will be possible for applications to use IPsec this way. The
good news is that the BTNS WG is actively working to fill this gap; see

    An abstract interface between applications and IPsec 
    IPsec Channels: Connection Latching (draft-ietf-btns-connection-latching-06)
    IPsec Application Programming Interfaces (draft-ietf-btns-c-api-03)

But even if this work is successful it will be many years before the necessary
support is sufficiently widely implemented and deployed to be usable, assuming
that ever happens.

IETF mailing list