[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC requirements

To: kent@BBN.COM (Steve Kent)
Subject: Re: IPSEC requirements
From: Masataka Ohta <mohta@necom830.cc.titech.ac.jp>
Date: Sat, 3 Sep 94 20:40:52 JST
Cc: mjr@tis.com, ipsec@ans.net
In-Reply-To: <199409022131.AA23740@interlock.ans.net>; from "Steve Kent" at Sep 2, 94 5:26 pm

> Marcus,
> 
> 	I disagree with some of your comments about what one needs,
> and where it fits into protocol layers, to make life better in the
> Internet.  First, you need a network, not a link layer, protocol for
> integrity and confidentiality, and that is what IPSP will provide.  It
> will provide this service not only on an end-to-end basis, but also on
> an enclave-to-enclave or an end-to-enclave basis.

It seems to me that there is a misconception on layering.

All firewalls today are operating at the transport layer.

Firewalls looks into transport header for port #s.

Sockd explicitely is a transport layer relay.

Of course, there is no reason that some transport layer data can not
be mixed with network layer data. So, it's OK to have an implementation
which put transport layer security data into IP header. Layering is NOT
for implementation. But viewing the data is at the network layer is,
IMHO, a layering confusion.

> 	As for authentication, I disagree with your assertion that it
> is best performed only at the application layer.

Application layer protection is application dependent. It is impossible
to do it on firewalls without specific knowledge on applications and
they are not so efficient.

Application layer protection should be best performed end-end over
protected transport layer.

But,

> Also, when we are providing
> enclave-to-enclave or end-to-enclave protection, which many folks
> believe is quite valuable, end user identification is generally not
> applicable.

that's not a valid objection.

For example, an application, nntpd, actually allows enclave-wise
protection specification.

Application layer filter specification, in general, will be

	(user spec, application spec, host spec)

and you can specify:

	(any user, any application, hosts in a certain subnet)

which is what you need for enclave-to-enclave or end-to-enclave
protection. "Enclave" issue is merely a wildcarding issue.

Of course, doing application layer protection on firewalls means
firewalls have knowledges on foreign users which is inefficient,
unrealistic and shoule be avoided.

						Masataka Ohta

References:

Re: IPSEC requirements

From: Steve Kent <kent@BBN.COM>

Prev by Date: Re: Some crypto timings
Next by Date: Re: IPSEC requirements
Prev by thread: Re: IPSEC requirements
Next by thread: Re: IPSEC requirements
Index(es):
- Main
- Thread