[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Network Layer Security Properties
As for the layer 3/4 controversy, I think it shows that there's a need
for both. Layer 3 security is arguably much more flexible and
complete. It covers and protects any arbitrary transport protocol.
E.g., authentication between TCP and IP protects TCP against
maliciously generated spurious RSTs and connection hijacking. If the
authenticator includes a timestamp, it could protect against
long-delayed replay attacks (defense against short-term replay would
still be the responsibility of the transport protocol, but this is
something it has to defend against anyway since the Internet can
duplicate packets occasionally on its own.)
We're going to have to be careful about our terminology here, and
in particular when we use phrases like ``layer 3'' or ``layer 4''
security. SP4, for example, attaches on the *bottom* of layer 4.
That is, the TP4 or TCP header is encrypted and thus protected from
introduction of spurious RST's and the like. Similarly, SP3 is attached
to the bottom of IP (or rough equivalent), thereby protecting (in
some configurations) even the source and destination IP address.
The real differences for these two are (a) the granularity of protection,
and (b) where they can be deployed. SP4 will guard individual connections,
making it useful for high-security hosts. SP3 provides protection only
to the level of the host, but for many current machines, that's quite
sufficient. Also, it can be deployed on routers and gateways, not just
hosts. That's both good and bad. It's good, because routers are generally
more secure than hosts, and are fewer in number, making them easier to
upgrade; it's bad, because the granularity of protection is then the
entire network behind the gateway. (Of course, in many configurations,
all such machines have to be considered part of the same security domain
anyway.)
--Steve Bellovin
Follow-Ups: