[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Metro addressing & Re: Address uniqueness

To: big-Internet@munnari.oz.au, atkinson@tengwar.itd.nrl.navy.mil
Subject: Re: Metro addressing & Re: Address uniqueness
From: lambert@phx.sectel.mot.com (Paul Lambert)
Date: Mon, 15 Feb 93 16:18:07 MST
Cc: ipsec@ans.net

Ran,

I have just a small clarification on your comments on network security
protocols.

> II.
>   On an unrelated note, let me explain quickly why security folks like
> to have unique absolute addresses.  The term "EID" means different
> things to different people and so I'm not going to try to talk in
> terms of EIDs here.  I also still don't fully understand all parts of
> PIP so I won't address it here either.  PIP appears to be non-trivial
> to secure, but perhaps that is because I don't understand PIP well
> enough.
> 
>   The existing security protocols (SP3 and ISO NLSP) use frame
> encapsulation to provide protection; I won't address either
> specifically, but will try to describe a generic process.  One takes
> the real network layer datagram and protects using a transformation
> that is reversible and provides some security properties (e.g.
> confidentiality, authentication, integrity).  One then treats the
> output of that transformation as payload and puts it into a new
> network layer datagram with a normal unprotected network header.  
> The protected information _cannot_ be modified or altered whilst in
> transit without that modification causing the back transformation to
> fail.  The information in the unprotected header should not be
> altered whilst in transit (except maybe a TTL field).  At the receive
> end, the protected data is transformed back into normal form for
> processing.  However the process of unprotecting it might rely on the
> values of fields in the unprotected header to give clues as to how to
> unprotect it (e.g. data from system A might use one kind of
> transformation while data from system B might use a different kind of
> transformation).
> 
> Ran
> atkinson@itd.nrl.navy.mil
> 

Both SP3 (Security Protocol Layer 3) and NLSP (Network layer Security
Protocol - ISO-IEC 11577) have variable length fields that are used
to determine how a datagram should be unprotected.  The Security
Association Identifier (SAID, Key ID in SP3) determines the 
algorithm, cryptographic key, and all other information required 
to decrypt the protected information. These protocols do not
rely on any information from lower layers. 

Except, ... for a mutant option of connection-oriented NLSP that
uses the address information from an X.25 connection to determine
the "security association".

Paul

Prev by Date: IPSEC Reference Documents
Next by Date: Re: IPSEC Reference Documents
Prev by thread: Re: IPSEC Reference Documents
Next by thread: No Subject
Index(es):
- Main
- Thread