[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC requirements

To: linehan@watson.ibm.com
Subject: Re: IPSEC requirements
From: Phil Karn <karn@qualcomm.com>
Date: Thu, 1 Sep 1994 20:26:31 -0700
Cc: ipsec@ans.net
In-Reply-To: <9408311858.AA0908@watlny03.watson.ibm.com> (linehan@watson.ibm.com)

>   This function can be provided at the application level (e.g. by PEM, etc.)
>with the advantage that applications can selectively apply encryption where
>it's really needed.  The reason for providing confidentiality at the IP level
>is that many apps don't implement any kind of encryption.  Performing
         ^^^^^^^^^
>encryption at the IP level gives a blanket guarantee that all packets are
>private.

This isn't a strong enough statement. Many *hosts* don't implement any
kind of encryption. One of the nice things about doing it just above
IP is that you have the option of building an "encryption gateway"
that can encrypt and/or authenticate packets from "crypto-unaware"
hosts.

A particularly important special case is two LANs belonging to the
same company but physically at different locations and interconnected
by an insecure network (e.g., the Internet). None of the hosts on the
LANs support encryption, or are likely to in the near future. How can
the two LANs be joined so that the hosts can communicate across the
net in a reasonably secure fashion against outside (*not* inside)
attacks?

IPSEC is a perfect solution to this problem. And you can keep it even
after you eventually implement it inside all the hosts. Very flexible
and elegant, much more so than encryption at any other protocol level.

Phil

Prev by Date: Re[2]: (Fwd) Authentication and encryption.
Next by Date: Re: IPSEC requirements
Prev by thread: Re: IPSEC requirements
Next by thread: Re: IPSEC requirements
Index(es):
- Main
- Thread