[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

"user" and "network layer" security.

To: ipsec@TIS.COM
Subject: "user" and "network layer" security.
From: "M.C.Nelson" <netsec@panix.com>
Date: Fri, 16 Aug 1996 16:01:31 -0400 (EDT)
Sender: ipsec-approval@neptune.tis.com

Language in the Internet draft IPSEC architecture, and in its predecessor
RFC 1825, refer to "IP-layer security".  This is in itself consistent with
lanquage in the IPSEC charter that refers to a "security protocol in the
network layer".  However, several contributions to this discussion group
as well other lanquage in the IPSEC docments, refer to the term "user". 
This is curious.

There is no concept of "user" at the IP layer (i.e. the network layer).  
Moreover, there is no clean and reliable way to map from IP datagram to
user.  Any such code will be problematic unless the functionality of
IP is severely altered.  For example, consider a transport protocol
that combines service to several users simultaneously.  Perfectly legal,
but problematic for a network layer mechanism that needs to know about
users.  The candidate network layer code would need to know all of the
protocols that would be used with IP. In short, it would no longer be a
true network layer mechanism, but rather a kludge.

The most appropriate place to discuss and design "user" security 
mechanisms woud seem to be in another discussion group. It is difficult
to understand how one could use the term "user" anywhere below the 
application layer.  Mixing "user" constructs into the network layer breaks
the network architecture and should be expected to lead to undesirable and
probably needless consequences.

"User" based security and "network layer" security can each be designed 
and implemented in ways that are consistent with the established network
architecture.  With some pro-forma cross consultation, one should expect
to arrive at reasonable results that provide good security without 
conflict and without unduly compromising present network functionality.  
The alternative does not  offer as much grounds for optimism.  Therefore it
seems that all lanquage related to "user" should be expunged from IPSEC
and instead treated in a seperate discussion group.

Regards to all,
Mitch Nelson
netsec@panix.com

Date: Fri, 16 Aug 1996 16:55:16 -0400
From: "Mitchell C. Nelson" <nelson@mcn.netsec.com>
Message-Id: <199608162055.QAA01070@mcn.netsec.com>
To: ipsec@TIS.COM, netsec@panix.com
Subject: "user" and "network layer" security mechanisms.
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk

Language in the Internet draft IPSEC architecture, and in its predecessor
RFC 1825, refer to "IP-layer security".  This is in itself consistent with
lanquage in the IPSEC charter that refers to a "security protocol in the
network layer".  However, several contributions to this discussion group
as well other lanquage in the IPSEC docments, refer to the term "user". 
This is curious.

There is no concept of "user" at the IP layer (i.e. the network layer).  
Moreover, there is no clean and reliable way to map from IP datagram to
user.  Any such code will be problematic unless the functionality of
IP is severely altered.  For example, consider a transport protocol
that combines service to several users simultaneously.  Perfectly legal,
but problematic for a network layer mechanism that needs to know about
users.  The candidate network layer code would need to know all of the
protocols that would be used with IP. In short, it would no longer be a
true network layer mechanism, but rather a kludge.

The most appropriate place to discuss and design "user" security mechanisms
woud seem to be in another discussion group. It is difficult to understand
how one could use the term "user" anywhere below the application layer. 
Mixing "user" constructs into the network layer breaks the network
architecture and should be expected to lead to undesirable and probably
needless consequences.

"User" based security and "network layer" security can each be designed and
implemented in ways that are consistent with the established network
architecture.  With some pro-forma cross consultation, one should expect
to arrive at reasonable results that provide good security without conflict
and without unduly compromising present network functionality.  The
alternative does not  offer as much grounds for optimism.  Therefore it
seems that all lanquage related to "user" should be expunged from IPSEC
and instead treated in a seperate discussion group.


Regards to all,
Mitch Nelson
netsec@panix.com

Prev by Date: Re: ...draft ...*skip*...
Next by Date: Re: DNS? was Key Management
Prev by thread: Re: KEI visa XCHG (ISAKMP & OAKLEY)
Next by thread: Re: "user" and "network layer" security.
Index(es):
- Main
- Thread