Re: IPSEC Agenda

["Perry E. Metzger" <pmetzger@lehman.com>]

Ran Atkinson says:
> It isn't as easy as Perry suggests.  I agree with Neil.  
> 
>   Getting traffic flow security would be nice, but lets concentrate on
> getting the fundamental parts of IP security in place first.  Traffic
> flow security can be solved using mechanisms separate from and below
> IP and need not be solved at the IP layer.

How can you do traffic flow security below the IP layer if the
encryption in your system is at the IP layer? This hacker can't think
of a mechanism and would like to know how you can do it.

Also, you say "It isn't as easy as Perry suggests." I'd like to know
why. A bare assertion doesn't sit well with me.

If you disagree with what I have to say, it would be nice to know what
you think is wrong with the statement. E-Mail eliminates emotion --
please understand I'm not being hostile -- I just honestly want to
know what you think is incorrect about this.

As I said, IMHO, swIPe has the distinct advantage that its easy to
think of how you can build systems to pad your traffic or conceal
sources and destinations. Since its built on IP in IP, you can decide
to falsify traffic in dozens of ways -- fake extra traffic, conceal
sources and destinations, route packets through odd paths with
destination concealed at each point, etc. In fact, its VERY easy to do
it -- many kinds of concealment policy could be implemented on top of
it.  It provides an obvious mechanism without policy, which is a Good
Thing. The fact that swIPe would give this to you for free is, in my
opinion, a win.

Perry

---

References:

• Re: IPSEC Agenda
• From: atkinson@itd.nrl.navy.mil (Ran Atkinson)

---

• Prev by Date: Re: IPSEC Agenda
• Next by Date: Hardware support
• Prev by thread: Re: IPSEC Agenda
• Next by thread: IPSEC Minutes
• Index(es):
  • Main
  • Thread