[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "user" and "network layer" security mechanisms.




>>    For the great class of usage, firewall to firewall tunnels (where only
>>    network origination is authenticated), or laptop to firewall, IP
>>    "network-layer" security easily handles those needs.  The "user" or
>>    "principle" or "party" maps nicely to the IP address.

This works fine for folks whose laptop or PC is equipped with a static 
IP address.  What about everyone else? 

For a majority of computers, IP addresses aren't meaningful for security. 
When a user has complete physical control over a computer (such as 
a laptop) there can be no realistic node-level security without special 
hardware.  In this environment, IP addresses serve as a convenient 
indirection for operating systems and communication protocols that 
can't easily deal with user names.  Although we could build a security 
infrastructure that institutionalizes IP addresses as shorthand for 
user identities, is this really a good idea for the long term? 

Ted Wobber
DEC Systems Research Center

Date: Mon, 26 Aug 1996 17:56:28 -0400
From: "Mitchell C. Nelson" <nelson@mcn.netsec.com>
Message-Id: <199608262156.RAA00328@mcn.netsec.com>
To: ipsec@TIS.COM, karn@qualcomm.com
Subject: A renewed IPSEC ("user" and "network layer" security).
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk

I am sorry that I did not read Phil's note of Aug 25 before sending my
note on Aug 26.  I agree with Phil's suggestion regarding SKIP, and I
suggest that we proceed along those lines.  Also, I think that the
IPSEC charter should be revised to focus more explicitly on network
layer security.  The task should be well defined, as a first step
towards producing the best possible result.  (Application layer
security can be the well defined task of an APPSEC working group.)

SKIP seems to reflect reasonable objectives of network layer security.
Still it would probably be a useful exercise to try and summarize what
those objectives are.  Meanwhile I suggest that we set a reasonable
minimum period of time for renewed discussion of the SKIP proposal in
its details.

Mitch Nelson
netsec@panix.com


>From Phil Karn:

>>"User" based security and "network layer" security can each be designed
>>and implemented in ways that are consistent with the established network
>>architecture.  With some pro-forma cross consultation, one should expect
>>to arrive at reasonable results that provide good security without
>>conflict and without unduly compromising present network functionality.
>>The alternative does not offer as much grounds for optimism.  Therefore
>>it seems that all lanquage related to "user" should be expunged from
>>IPSEC and instead treated in a seperate discussion group.
(quoted by from M.C.Nelson of 8/16)

>I couldn't agree more. As one of the originators of the IPSEC group, I
>have watched with increasing resignation for the last four years as my
>original idea has grown completely out of control, with very little to
>show for it.
.....
>If the IPSEC group's work is to ever have any relevance, it must
>return to the original, bare-bones goal of building protected
>"tunnels" at the host-to-host or subnet-to-subnet level of
>granularity. There's still plenty of need for this function, but
>trying to do more than this is likely to continue to get us nowhere.
>
>In this light, SKIP keeps looking better to me all the time. Its claim
>to the "simple" label certainly keeps getting stronger.  The only real
>problem I've ever had with it was the lack of perfect forward secrecy
>(PFS) in the original design. But that's in there too. So other than
>the lack of support for a facility (user-oriented keying) that we
>can't really do properly anyway, what's wrong with it?








Date: Tue, 27 Aug 96 15:10:42 GMT
From: William Allen Simpson <wsimpson@greendragon.com>
MMDF-Warning:  Unable to confirm address in preceding line at neptune.TIS.COM
Message-Id: <5478.wsimpson@greendragon.com>
To: ipsec@TIS.COM
Subject: Re: "user" and "network layer" security mechanisms.
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk

I'm sorry, I was insufficiently clear.  The IP address (in my list of
scenarios) is part of the IP address plus SPI -- a temporary shorthand
for party/principle/user identities.  There is no need for the IP
address to remain static.  You still need some key management exchange
to bind an "identity" with the IP address plus SPI combination.

> From: wobber@pa.dec.com
> This works fine for folks whose laptop or PC is equipped with a static
> IP address.  What about everyone else?
>

WSimpson@UMich.edu
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
    Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2