Re: IPSEC requirements

[Steve Kent <kent@BBN.COM>]

Marcus,

	I disagree with some of your comments about what one needs,
and where it fits into protocol layers, to make life better in the
Internet.  First, you need a network, not a link layer, protocol for
integrity and confidentiality, and that is what IPSP will provide.  It
will provide this service not only on an end-to-end basis, but also on
an enclave-to-enclave or an end-to-enclave basis.  All of these
configurations are important to address slightly different
Internet security requirements.

	As for authentication, I disagree with your assertion that it
is best performed only at the application layer.  For single user end
systems, such as desktop workstations and laptop/notebnook computers,
authentication provided at the network layer is essentially
equivalent, in terms of its granularity, to user authentication
provided at the application layer.  This is not true for all
applications, e.g., email and directory services are exceptions, but
it is generally true.  I agree that the form of the identification may
be different at the network layer vs. the application layer, but that
does not imply that suitable mappings cannot be established between
the two in many instaances.  Also, when we are providing
enclave-to-enclave or end-to-enclave protection, which many folks
believe is quite valuable, end user identification is generally not
applicable.

	I agree that, in the best of all worlds, one would like to
have a high degree of confidence in the security of the other end
systems with which one interacts.  However, such confidence will
depend on a number of security disciplines being effectively pursued,
incluidng computer security, procedural security, and network
security.  In gerenal, in the Internet, we don't have much control
over or knowledge of the security measures in place at other sites,
much less other individual workstations.  User granularity
authentication, provided at the application layer, does not
necessarily make an end system more secure than the same system with
network layer authentication.  Even if the end system were more
trusted than I have any reason to expect in this environment, the
incremental security afforded by application vs. network layer
security is not very great, in most instances.

	I would expect that a remote computer that has been
compromised, e.g., by dint of failures in local computer or procedural
security, will be able to do much the same damage via a secure network
path whether application or network layer authentication is employed.
Perahps, in a system with very strong separation of processes and an
ability to isolate and contain software received from suspect
locations, we might be able to mitigate the effects of some poor
security practices by other sites.  But I'm not convinced that
application layer authentication will really make a big difference in
that regard.  If you can share some more concrete examples where use
of application layer authentication does make a substantive difference
(other than in the email and directory service examples alluded to
above), then it would probably help support that contention.  

	Note that I'm not talking about such things as signing
software being retrieved acrosss the net or the like, but rather
reletuive merits of access control measures enforced at the network
vs. application layer, based on authentication provided at the
respective layers.

Steve

---

Follow-Ups:

• Re: IPSEC requirements
• From: Masataka Ohta <mohta@necom830.cc.titech.ac.jp>

References:

• Re: IPSEC requirements
• From: Marcus J Ranum <mjr@tis.com>

---

• Prev by Date: Re: IPSEC requirements
• Next by Date: Some crypto timings
• Prev by thread: Re: IPSEC requirements
• Next by thread: Re: IPSEC requirements
• Index(es):
  • Main
  • Thread