[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSP Alternatives

To: ipsec@ans.net
Subject: IPSP Alternatives
From: Russ_Housley.McLean_CSD@xerox.com
Date: Tue, 8 Dec 1992 11:45:51 PST

IPSECers:

I understand that IPSEC intends to develop a cryptographic security protocol in
the Network Layer to protect client protocols of IP.  The protocol formats for
the IPSP will be independent of cryptographic algorithms.  Host-to-host
security will be addressed first, them subnet-to-subnet and host-to-subnet
security will be addressed.

I see three likely alternatives for IPSP.

Alternative 1:  Network Layer Security Protocol (NLSP)

This alternative adopts the connectionless form of  ISO NLSP with minimal
changes.  This technique will probably be compatible with the current IP and
the revised IP (IP version 7).  Basically two changes are being considered.
The first change is clearly mandatory for the Internet protocols to work; the
second change is needed to support  super-encryption in some network
topologies.

First, NLSP needs a protocol field to carry the next-protocol identifier.  The
next-protocol field in IP will indicate that NLSP is above IP, and the new
field in NLSP will indicate which protocol is above NLSP.  This is the
traditional demultiplexing technique used in Internet protocols.

Second, NLSP does not permit NLSP to run over itself in all possible network
topologies.  In particular, NLSP cannot be implemented at both hosts and
routers, such that the routers super-encrypt the host encrypted traffic, unless
some other network protocol runs between the two instantiations of NLSP.

Alternative 2:  A Convergence Protocol for NLSP

This alternative leaves NLSP unchanged, but defines a convergence protocol to
carry the next-protocol identifier.  This technique will probably be compatible
with the current IP and the revised IP (IP version 7).  One advantage with this
approach is that the same convergence protocol would work with the ISO
Transport layer Security Protocol (TLSP).  This approach does not address
super-encryption in all network topologies, but assumes that ISO will make the
necessary adjustments to NLSP to resolve this problem.

Alternative 3:  Customized IP Security Protocol

This alternative does not use any ISO defined protocol.  Instead, IPSP is
designed specifically for IP.  The lessons from SP3 and NLSP will be used to
avoid some of the same pitfalls.  With this approach, the resulting IPSP may
not be compatible with the revised IP (IP version 7).

In order to speed IPSP developemnt, I would like to start a discussion of the
pros and cons of each alternative.

Russ

Prev by Date: Re: >FWD- Re- FYI IPSEC WG C
Next by Date: Re: >>FWD- Re- FYI IPSEC WG
Prev by thread: Re: >Final IPSEC Charter
Next by thread: Re: >>FWD- Re- FYI IPSEC WG
Index(es):
- Main
- Thread