Subject: Re: [Ipsec] Request for Comment on IPv6-based Global Air Space communicationnet work requirements From: Sheila Frankel Date: Thu, 24 Feb 2005 08:17:59 -0500 To: ivancic CC: grance@nist.gov Hi, I just looked over your RFC. Several of the design concepts may, in practice, be mutually exclusive. 1) prioritized traffic vs. encrypted IPsec: I'm not sure what mechanism you intend to use for traffic prioritization, but you need to ensure that it's compatible with IPsec. In some cases, the data needed to screen the traffic for prioritization can be encrypted by IPsec. In such a case, placement of IPsec gateways relative to the entity performing the traffic priority sorting is critical. 2) multicasting: Classic IPsec protects traffic between a single sender and a single responder. Thus, it cannot handle multicast traffic, which has multiple senders and/or responders. There are variants of IPsec that can handle different flavors of multicast traffic. However, the security issues posed by multicast traffic generally call for different classes of solutions that are optimized for one or more subsets of the totality of multicast traffic (e.g., single-sender multicast, multicast with basically fixed membership vs. constantly changing membership, etc.) 3) scalable to tens of thousands of aircraft: configuring large numbers of IPsec clients can be challenging. In some cases, a proprietary solution may be the optimal approach; if the proprietary nature of the solution is limited to the configuration stage, it may still allow for interoperability. However, interoperability on such a large scale may be difficult to achieve, especially with certificate-based authentication. 4)IPv6: I don't know what your time frame is, but you should investigate whether off-the-shelf, quality products will be available that meet your other needs and are also IPv6-capable. It's critical that they be not only IPv6-capable, but fully tested under IPv6. I hope these comments are helpful. Please let me know if further clarification is needed. Sheila Frankel sheila.frankel@nist.gov Quoting ivancic : >> >> >> NASA has formulated a list of requirements to ensure global >> interoperability and deployment. NASA is seeking comments from various >> industries, academia and government agencies throughout the world >> regarding these salient requirements. Comments are being sought from >> those directly involved in aeronautics, as well as telecommunication, >> communication, computer and information assurance providers as we >> believe those outside the traditional aeronautics community have >> expertise and insight that is directly applicable to network centric >> operations. Application of commercial off the shelf technologies and >> techniques will, hopefully, enable network centric operation to be >> economically and technically realizable over the Global Airspace System. >> >> Note, there are some fundamental security requirements presented >> regarding IPSec and use of security mechanisms over a Global Network. >> Any input and constructive criticism by the Security community regarding >> these proposed requirements is welcome. >> >> A user friendly URL for this request can be found here: >> http://roland.grc.nasa.gov/~ivancic/RFI/rfi.html >> >> The official announcement is here: >> http://prod.nais.nasa.gov/cgi-bin/eps/synopsis.cgi?acqid=114192 >> >> >> Please feel free to forward this request to whomever you my feel would >> benefit >> >> >> -- >> ****************************** >> William D. Ivancic >> Phone 216-433-3494 >> Fax 216-433-8705 >> Lab 216-433-2620 >> Mobile 440-503-4892 >> Yahoo ID: ivancic >> http://roland.grc.nasa.gov/~ivancic >> >> >> >> >> >> _______________________________________________ >> Ipsec mailing list >> Ipsec@ietf.org >> https://www1.ietf.org/mailman/listinfo/ipsec >> >> >>