Re: Bellovin's and Ashar's attacks

[Mark H Linehan/Watson/IBM Research <linehan@watson.ibm.com>]

Ran said:

>Hmm.  Actually, ESP is _both_ an IP encryptor and also a
>transport-layer encryptor, depending on how a particular session is
>setup.  It is important for everyone to keep this in mind.  The
>working group name is somewhat misleading by accident because >folks
>think it is restricted to the IP-layer.  No such restriction exists
>in either AH or ESP.

>As an aside, one of the things I've not been good about making clear
>in my notes is that my interest in user-oriented keying has much to do
>with the use of ESP as a transport-layer encryptor.

I've been meaning to question this idea of encrypting only the transport data.
It seems pretty innocuous until it leads us to issues such as user-oriented
keying.  I'm concerned that this is a case of "creeping featurism" and that it
is making the IPSEC objectives too large and too complex.

Remember the continuing demand from many quarters to get IPSEC finished and how
there's been real difficulty over time concluding on specific solutions.
Remember also that the most effective security mechanisms typically are the
ones that are the simplest and most effectively focussed.

Both the name and most of the work in IPSEC has been addressed to network-layer
security.  I respectfully suggest that if there's a real demand for
transport-layer security services, then there should be TCP security and UDP
security working groups assigned to consider modifying those protocols.

---

• Prev by Date: Re: Bellovin's and Ahar's attacks
• Next by Date: Re: Bellovin's and Ashar's attacks
• Prev by thread: Re: Bellovin's and Ashar's attacks
• Next by thread: Re: Bellovin's and Ashar's attacks
• Index(es):
  • Main
  • Thread