[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(Fwd) IP security



Hugo suggested that I forward my note below to the DNS Security list
back to the IP Security list, so I'm doing so.

	Ran

----------------------------- Note follows ------------------------------
 Date: Fri, 22 Sep 95 09:42:25 EDT
 From: Ran Atkinson <atkinson@itd.nrl.navy.mil>
 Message-Id: <9509221342.AA20247@itd.nrl.navy.mil>
 To: alten@novell.com
 Subject: IP security
 Cc: dns-security@TIS.COM


Don Eastlake wrote:
>I think secure Telnet and FTP and the plethora of other point to point
>security protocols in the Internet should go away and be replaced by
>IPSEC.  If the decision were up to me, I'd seriously consider an
>embargo on any "improvements" to these other point-to-point protocols
>to encourage development and deployment of IPSEC.  (These comments do
>not apply to store-and-forward security such as DNS and email.)

Alex Alten responded:
%	I'm afraid that I must disagree with you about Telnet and FTP.
% These protocols depend on user authentication.  IP level
% authentication is not enough to distinguish between users on a
% multi-user system.

  The above comment tells me that you must not have read RFC-1825 thru
RFC-1827 carefully enough.  The IPsec Proposed Standards _require_
that implementations support user-oriented keying so that one _can_
distinguish between users on a multi-user system with cryptographic
assurances.  The NRL IPsec implementation does support keying on a
per-socket basis NOW.  (We have a BSD based implementation, so sockets
are the appropriate term; one could do the same thing with TLI/XTI
though the implementation details would differ).

%  Some protocols like SNMP are also used over other non-Internet
protocols,
% such as Appletalk and IPX.

True, though at last report ALL security was being removed from SNMPv2
by the working group.  Also, Don did not say that there were no
applications needing application security, just that most applications
did not need application layer security.

% From an overall design perspective I doubt IPSEC will be able to
% adequately deal with the security needs of all higher level protocols.
% I'm finding out that each one has its individual needs which cannot
% always be covered by a "one size fits all" solution.

I agree with Don that IPsec can fully handle the security needs of MOST
higher level protocols and that we probably ought not keep stuffing
security into EVERY upper-layer protocol.  DNS and PEM are good examples
of higher level protocols that really need application layer security.

Ran
rja@cs.nrl.navy.mil

[Followups probably belong on the IPsec list or in private email
 rather than on the DNS Security list...]

-----------------------End of forwarded mail ----------------------