[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Routing


	I agree with your asseement that using an intermediate system
to implement IPSP will often be appropriate for a variety of reasons,
not only the difficulty and cost of providing tamper-resistant crypto
at end systems.  However, the question of having an intermediate
system be a party to an IPSP security association is a different

	I too was at the IAB security workshop in question and I
recall the presentations on having intermediate systems interact with
end systems to provide security services better than those now offered
by various firewalls.  However, I am not confident that IPSP, as it is
defined so far, has been engineered with appropriate provisions for
the sort of multi-party security association management that appears
to be implied by the suggestions that both you and Ran have put forth.
Experience suggests that it is fairly difficult to implement a
flexible network layer security protocol at an intermediate system,
even when the protocol is still point-to-point.  IPSP makes some
efforts to accommodate multi-point communication, which ups the ante.

	What I think I hear you and Ran suggesting, and please correct
me if I misunderstood, is to have an intermediate system perform the
crypto for IPSP but to have much of the rest of the protocol execute
back at the endpoint.  Alternatively, I may have heard a suggestion
that some of IPSP operate at the intermediate system, but that most of
it operate at the intermediate system, essentially allowing the end
system to signal security association control parameters to the
intermediate system.

	I'd feel much more confortable these suggestions were backed
up with detailed discussions of the scenarios under which these
features would be employed, plus an analysis of how end and
intermediate system implementations of (vanilla) IPSP would have to
operate differently to function properly in this new mode.  It's easy
to say that such uses are not prohibited, but until we do the homework
to ensure that such configurations do not introduce significant
complexity into the protocol, or into end or intermediate system
implementations that communicate with these distributed
implementations, I worry that we may be promising more than we know
how to deliver.