Where does security belong?

[teb@saturn.sys.acc.com (Tom Benkart)]

I'd like to second Phil's comments about the "appropriate" place
for security in the protocol stack.  Restricting information at
the IP layer to only that which is needed by end AND intermediate
(router) systems is my strong preference.  Not very much security-
related information falls into this category.

Unfortunately, we may not have much choice, since only IP is up
for redesign at this time (I agree that the current option size
limit in IPv4 will limit what we can do in the current version).
Is it feasible to suggest adding new TCP/UDP/??? options?  If
something like PIP is chosen as IPv7, maybe whatever the routers
needed could be included in the Handling Directives, whereas
information only needed by the end systems could be ignored by
the routers.  The other IPv7 proposals don't have anything like
a "router sublayer".

Most of the discussion so far has centered around authentication,
integrity and confidentiality.  By my criteria from the first
paragraph, none of these *have* to be handled at the IP level.

Conspicuously absent from the discussion is any mention of access
control, which would have to be done at the IP level since routers
might need to restrict routes based on that information.  It is
also interesting that access control is about the only thing the
current RIPSO/CIPSO provides.  Is the lack of mention of access
control because no one really wants/needs it, or because it is
assumed as a given?

Tom Benkart
ACC Systems

---

Follow-Ups:

• Re: Where does security belong?
• From: Steve Kent <kent@BBN.COM>

---

• Prev by Date: RE: Re: IPSEC & ROAD
• Next by Date: Re: Where does security belong?
• Prev by thread: Re: IPSEC & ROAD
• Next by thread: Re: Where does security belong?
• Index(es):
  • Main
  • Thread