[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: (IPng) More Endpoint Attributes

To: atkinson@itd.nrl.navy.mil
Subject: Re: (IPng) More Endpoint Attributes
From: Andy Bayerl <bayerl@zk3.dec.com>
Date: Thu, 16 Mar 95 16:30:40 -0500
Cc: ipsec@ans.net, barron@zk3.dec.com
In-Reply-To: Your message of "Thu, 16 Mar 95 14:23:51 EST." <199503161957.AA04868@interlock.ans.net>

Ran writes:

    There is nothing to preclude the continued use of IPSO (etc.).
    IPSO is a standards-track IETF protocol, hence appropriate to cite.
    CIPSO is not a standards-track IETF protocol and the IETF CIPSO
    working group was recently formally disbanded for lack of visible
    effort in over a year. Hence CIPSO is not appropriate to cite.

That is an issue to be taken up separately, somewhere, Maybe.

    There is text about the need to authenticate explicit labelling
    information such as IPSO.  There was general agreement fairly early
    on in the IPsec WG that explicit labels which lack cryptographic
    binding to their packet and lack cryptographic authentication mechanisms
    have serious security problems due to the lack of such authentication
    mechanisms.  Fortunately, use of something like ESP or AH would
    address those specific security problems with explicit labelling.

Basically, you are saying that when the ESP or AH are present,
the (C)IPSO options inherit the goodness of the authentication mechanisms,
since they are part of the IP header stream covered by the ESP and/or the AH.
Is that correct?

    Similarly there is nothing to preclude the continued use of
    the (not currently publically documented) TSIG protocols.  Again,
    those protocols would probably benefit greatly from the availability
    of cryptographic security mechanisms in the IP-layer that could
    be used to secure those TSIG protocols.

I agree.

    I need to (and will) add text noting that explicit labels similar to
    IPSO could be added to IPv6 using either the IPv6 End-to-End Options
    Header or using the IPv6 Hop-by-Hop Options header.  I will not
    attempt to write such specifications as they are outside the scope
    of my efforts.

That is also quite reasonable to expect. It would be our
(i.e., TSIG as the coordinating body for MLS vendors) responsibility
to write up the specifications and get them into the IETF standards-track
RFCs (or not as the case may be).

    Because the TSIG specs are not in IETF standards-track RFCs, I do not
    plan to discuss them specifically or cite them.
Ok.

References:

Re: (IPng) More Endpoint Attributes

From: Ran Atkinson <rja@bodhi.cs.nrl.navy.mil>

Prev by Date: Re[3]: (IPng) More Endpoint Attributes
Next by Date: Re: (IPng) More Endpoint Attributes
Next by thread: Re: (IPng) Proposed Standard or no?
Index(es):
- Main
- Thread