[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: clear ports
Ran,
> If the user didn't want the ports and transport-layer covered up, then the
> user would have used an upper-layer security service (e.g. PEM, PGP, SSL,
> whatever) instead of IPsec. Uncovering the ports within the context of
> IPsec is unwise and contrary to the intent of the IPsec work.
I guess i'm not convinced that a priori it is necessary to require that ESP
cover up the protocol/ports. I think that in many many cases, what people are
trying to keep private is the payload of the transport data (eg, passwords,
payroll data, etc.). I think that in some cases, traffic analysis (at the
level of ports/protocol) is something people want to protect.
Below is (what i believe to be) the IPSEC charter; i don't believe that it
answers the question "to encrypt ports/protocol or not to encrypt
ports/protocol?".
Additionally, i suspect that the effort required to design, develop, and
deploy IPSEC is going to make it widely used in the place of things such as
TELNET encryption, FTP encryption, SSL, etc. I.e., it is going to solve all
these problems, it is there (and, hopefully, ubiquitous), and people will use
it.
Cheers,
Greg
----
Rapid advances in communication technology have accentuated the need for
security in the Internet. The IP Security Protocol Working Group (IPSEC) will
develop mechanisms to protect client protocols of IP. A security protocol in
the network layer will be developed to provide cryptographic security services
that will flexibly support combinations of authentication, integrity, access
control, and confidentiality.
The protocol formats for the IP Authentication Header (AH) and IP
Encapsulating Security Payload (ESP) will be independent of the cryptographic
algorithm. The preliminary goals will specifically pursue host-to-host
security followed by subnet-to-subnet and host-to-subnet topologies.
Protocol and cryptographic techniques will also be developed to support the
key management requirements of the network layer security. The Internet Key
Management Protocol (IKMP) will be specified as an application layer protocol
that is independent of the lower layer security protocol. The protocol will
initially support public key-based techniques. Flexibility in the protocol
will allow eventual support of Key Distribution Centers (KDC), such as are
used by Kerberos.
Follow-Ups:
References:
- apology
- From: Ran Atkinson <rja@cisco.com>