[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: clear ports

To: Ran Atkinson <rja@cisco.com>
Subject: Re: clear ports
From: Greg Minshall <minshall@ipsilon.com>
Date: Tue, 23 Apr 1996 12:49:07 -0700
Cc: ipsec@TIS.COM
In-Reply-To: Your message of "Mon, 22 Apr 1996 19:26:59 PDT." <199604230226.TAA11920@puli.cisco.com>
Sender: ipsec-approval@neptune.tis.com

Ran,

> If the user didn't want the ports and transport-layer covered up, then the
> user would have used an upper-layer security service (e.g. PEM, PGP, SSL,
> whatever) instead of IPsec.  Uncovering the ports within the context of
> IPsec is unwise and contrary to the intent of the IPsec work.

I guess i'm not convinced that a priori it is necessary to require that ESP 
cover up the protocol/ports.  I think that in many many cases, what people are 
trying to keep private is the payload of the transport data (eg, passwords, 
payroll data, etc.).  I think that in some cases, traffic analysis (at the 
level of ports/protocol) is something people want to protect.

Below is (what i believe to be) the IPSEC charter; i don't believe that it 
answers the question "to encrypt ports/protocol or not to encrypt 
ports/protocol?".

Additionally, i suspect that the effort required to design, develop, and 
deploy IPSEC is going to make it widely used in the place of things such as 
TELNET encryption, FTP encryption, SSL, etc.  I.e., it is going to solve all 
these problems, it is there (and, hopefully, ubiquitous), and people will use 
it.

Cheers,

Greg
----
Rapid advances in communication technology have accentuated the need for 
security in the Internet. The IP Security Protocol Working Group (IPSEC) will 
develop mechanisms to protect client protocols of IP. A security protocol in 
the network layer will be developed to provide cryptographic security services 
that will flexibly support combinations of authentication, integrity, access 
control, and confidentiality. 

The protocol formats for the IP Authentication Header (AH) and IP 
Encapsulating Security Payload (ESP) will be independent of the cryptographic 
algorithm. The preliminary goals will specifically pursue host-to-host 
security followed by subnet-to-subnet and host-to-subnet topologies. 

Protocol and cryptographic techniques will also be developed to support the 
key management requirements of the network layer security. The Internet Key 
Management Protocol (IKMP) will be specified as an application layer protocol 
that is independent of the lower layer security protocol. The protocol will 
initially support public key-based techniques. Flexibility in the protocol 
will allow eventual support of Key Distribution Centers (KDC), such as are 
used by Kerberos.

Follow-Ups:

Re: clear ports

From: "Perry E. Metzger" <perry@piermont.com>

References:

apology

From: Ran Atkinson <rja@cisco.com>

Prev by Date: reference correction
Next by Date: RE: clear ports
Prev by thread: apology
Next by thread: Re: clear ports
Index(es):
- Main
- Thread