[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC requirements

To: bsimpson@morningstar.com, ipsec@ans.net
Subject: Re: IPSEC requirements
From: Marcus J Ranum <mjr@tis.com>
Date: Fri, 2 Sep 94 09:47:01 EDT

>The trust boundary is the trusted machine.
>I don't care about unsecure machines.  Let them die.

	That's exactly what I mean.

	If the trust boundary is your trusted machine, you can't
assume that data from an untrusted machine is authentic. Even if
it's authenticated and has the IP security stamp of approval.
After all, if it's an unsecure machine, it should be trivial
for an attacker to pretend to be an authorized user on your
machine. So your machine can't trust it, and you've gone and
built a firewall *EXACTLY* like the ones that are out there
today, where the only machines that trust eachother are the
ones you own.

	When I said that the distributed trust problem is hard
to solve, I wasn't just trying to be obnoxious. It *IS* hard
to solve! And every time I see IP security come up, someone
says "and after this we won't need firewalls."   --- I really
really wish this were true, but until all *hosts* are adequately
secured, and all *networks* are adequately secured, you're going
to have trust boundaries. The very fact that systems will always
be administered differently means that for some value of "adequate"
all hosts will *NEVER* be adequately secured.

	To put this another way: would you let traffic through
your firewall if it was protected by IP security options and
was coming from an authenticated user logging in from, say,
gnu.ai.mit.edu, or a public access machine?  I wouldn't.
Kerberos is a similar situation. If you use it all over your
network, on machines that you trust because you run them, then
you're fine. If you start letting other systems you don't have
control over authenticate users to your machines, you're
running the risk that those machines could be compromised
in a way that "steals" someone's kerberos password. Suppose
I modify the "klogin" program on my workstation and you use
it to log into your home machine. The kerberos part of the
system is still perfectly strong, but I now know your kerberos
password and can be you. This is what I mean about how
IP level encryption solves a limited set of problems, and
must be accompanied by similar host-based security and
common management.

	Your trust boundary is going to encompass all the systems
you control, or the systems people you are willing to trust
control, and nobody else. That's the *CURRENT* situation with
firewalls -- IPSEC will give newer technologies but the basic
trust situation isn't likely to change.

mjr.

Follow-Ups:

Re: IPSEC requirements

From: Charlie Watt <watt@sware.com>

Prev by Date: Re: IPSEC requirements
Next by Date: Re: Motorola patent 5,245,614 on compression
Prev by thread: Re: IPSEC requirements
Next by thread: Re: IPSEC requirements
Index(es):
- Main
- Thread