Nicolas Williams
2008-04-15 14:31:57 UTC
At Philadelphia I had a conversation with Daniel Migault about
connection latching. Daniel's main insight was that the key task for us
in this I-D was to make absolutely clear what is the impact of this work
on the IPsec architecture, and that that impact is minimal, or none
even.
Daniel subsequently posted suggested text and ASCII art, and though I
used very little of that text as is, Daniel's text and art inspired me
to follow along those lines.
So I made the following changes:
- Simplified and clarified the connection latch state machine,
including a state machine diagram.
- Tailored the description of the normative model of connection
latching to make clear that at its bare minimum it's just a purely
local conflict detection and notification mechanism.
- All features whereby local policy is logically updated are now
optional, with clear warnings that no such logical policy updates
survive reboots.
- Added text to the security considerations section about the impact of
this feature on the IPsec architecture. The impact of optional
features is described in a separate section.
- Added an informative diagram showing the relationships between
various components of an IPsec w/ connection latching system, all in
terms likely to be understood by operating systems developers.
- Added a section describing how connection latching works for each of
the three major transport protocols, even though all the details
therein follow from the remainder of the draft. I thought it would
be good to show that the details relating to SCTP were as simple as
those relating to TCP.
The URL to the rfcdiff tool for the diffs between -06 and -07 is:
http://tools.ietf.org/rfcdiff?url1=http://tools.ietf.org/id/draft-ietf-btns-connection-latching-06.txt&url2=http://tools.ietf.org/id/draft-ietf-btns-connection-latching-07.txt
[No, I've not yet spell-checked -07. I just noticed I misspelt
"simultaneous" -- how embarrassing.]
Nico
--
connection latching. Daniel's main insight was that the key task for us
in this I-D was to make absolutely clear what is the impact of this work
on the IPsec architecture, and that that impact is minimal, or none
even.
Daniel subsequently posted suggested text and ASCII art, and though I
used very little of that text as is, Daniel's text and art inspired me
to follow along those lines.
So I made the following changes:
- Simplified and clarified the connection latch state machine,
including a state machine diagram.
- Tailored the description of the normative model of connection
latching to make clear that at its bare minimum it's just a purely
local conflict detection and notification mechanism.
- All features whereby local policy is logically updated are now
optional, with clear warnings that no such logical policy updates
survive reboots.
- Added text to the security considerations section about the impact of
this feature on the IPsec architecture. The impact of optional
features is described in a separate section.
- Added an informative diagram showing the relationships between
various components of an IPsec w/ connection latching system, all in
terms likely to be understood by operating systems developers.
- Added a section describing how connection latching works for each of
the three major transport protocols, even though all the details
therein follow from the remainder of the draft. I thought it would
be good to show that the details relating to SCTP were as simple as
those relating to TCP.
The URL to the rfcdiff tool for the diffs between -06 and -07 is:
http://tools.ietf.org/rfcdiff?url1=http://tools.ietf.org/id/draft-ietf-btns-connection-latching-06.txt&url2=http://tools.ietf.org/id/draft-ietf-btns-connection-latching-07.txt
[No, I've not yet spell-checked -07. I just noticed I misspelt
"simultaneous" -- how embarrassing.]
Nico
--