[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSEC requirements

To: ipsec <ipsec@ans.net>
Subject: IPSEC requirements
From: Mark H Linehan/Watson/IBM Research<linehan@watson.ibm.com>
Date: 31 Aug 94 11:52:38 ES

I agree that we need a real statement of requirements for IP level security.
Here's my attempt:

- We need authentication of message sources (i.e. of the IP source address &
related information) so that firewall routers can filter packets based on
source addresses.  I think this is the only requirement that really MUST be
addressed at the IP level.

- We need message confidentiality (encryption) for those situations where the
communicating parties want to keep their messages private.  Examples are many
corporate environments.

   This function can be provided at the application level (e.g. by PEM, etc.)
with the advantage that applications can selectively apply encryption where
it's really needed.  The reason for providing confidentiality at the IP level
is that many apps don't implement any kind of encryption.  Performing
encryption at the IP level gives a blanket guarantee that all packets are
private.

- We need message integrity (i.e. a guarantee that no bits in a packet have
been changed) for the same reasons that we need message confidentiality.

The three requirements are orthogonal.  Since each function involves some cost,
there should be some way to configure which functions are implemented for each
communicating pair of hosts.

Follow-Ups:

Re: IPSEC requirements

From: Steve Kent <kent@BBN.COM>

Prev by Date: Re: IPsecv4 and IPsecv6
Next by Date: Re: IVs, summary of discussion
Prev by thread: Re: OFB for IPSEC
Next by thread: Re: IPSEC requirements
Index(es):
- Main
- Thread