[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Network Layer Security Properties
Frank,
In my own view, IP/ICMP/etc primarily need to have two properties
that are not currently available: authentication (preclude Super
Source Quench [1], preclude routing attacks, etc) and data integrity
(prevents folks from twiddling other folks bits without the receiver
knowing about it).
In my view, these two properties need to be available in an ordinary
IP/SIP/CLNP/etc option and must not require the use of an encapsulating
protocol -- if we want to really provide basic security to the majority
of the Internet sites. Every site needs these two properties TODAY to
preclude simple obvious attacks on the network and hosts connected to
the network.
Confidentiality via encryption is not as critical at the network
layer, though probably good to have [2]. For confidentiality, use of an
encapsulating protocol such as SP3 or the ISO Network Layer Security
Protocol (NLSP) sounds reasonable. Because relatively fewer sites are
really worried about network layer confidentiality, use of an
encapsulating protocol by the interested sites is fine.
This is not arguing against an SP3/NLSP basis for the IP Security
work. Rather it is suggesting that, while an encapsulating
SP3/NLSP-like protocol be developed for use, thought also be given to
incorporating compatible authentication/integrity mechanisms in new
options to the regular network protocol (IP/SIP/CLNP/whatever). I
suspect that not much can really be done with IPv4 because of the
current header/options size restriction.
Regards,
Ran
atkinson@itd.nrl.navy.mil
[1] ICMP message to the victim host that declares the default gateway
address to be 127.0.0.1; similar attacks are also possible.
[2] I'm trying to avoid starting a layer war here. Some sites don't
believe they ever need confidentiality outside the application layer,
and there is little consensus in the community on the question of
handling confidentiality at the Transport Layer or the Network Layer.
--