[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "user" and "network layer" security. reply to respondents.

To: "M.C.Nelson" <netsec@panix.com>
Subject: Re: "user" and "network layer" security. reply to respondents.
From: "C. Harald Koch" <chk@border.com>
Date: Fri, 30 Aug 1996 11:30:27 -0400
Cc: ipsec@TIS.COM
In-Reply-To: netsec's message of "Fri, 30 Aug 1996 09:59:49 -0400". <Pine.SUN.3.91.960830095654.26224C-100000@panix.com>
References: <Pine.SUN.3.91.960830095654.26224C-100000@panix.com>
Sender: ipsec-approval@neptune.tis.com

In message <Pine.SUN.3.91.960830095654.26224C-100000@panix.com>, "M.C.Nelson" writes:
> 
> The transport layer doesn't have "user" either.  Adding a "user" concept
> in a new layer between the transport and network layer still breaks the
> network architecture.

Fine. I guess we should all throw our hands up in disgust and walk away from
the table. The pristine purity of the ISO reference model must be preserved
at all cost, right?

Do you propose removing all user-based authentication from PPP (CHAP and
PAP) also? After all, PPP is a link layer protocol, and the link layer
doesn't have a "user" either. How about SSL, at the transport layer?

User-oriented keying is useful, and works. The concept is orthogonal to
network stack layering. If it voliates some holy "architecture design
principles", then those principles should be changed.

IMHO, of course.

-- 
Harald Koch
chk@border.com

Message-Id: <199608301559.LAA04638@jekyll.piermont.com>
To: "Mitchell C. Nelson" <nelson@mcn.netsec.com>
Cc: ipsec@TIS.COM
Subject: Re: "user" and "network layer" security. reply to respondents. 
In-Reply-To: Your message of "Thu, 29 Aug 1996 20:13:05 EDT."
Reply-To: perry@piermont.com
X-Reposting-Policy: redistribute only with permission
Date: Fri, 30 Aug 1996 11:59:20 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk

"Mitchell C. Nelson" writes:
> Paul,  I  think you need to think through your scenario a little
> more carefully.  You'll probably see that your argument doesn't fly.
> 
> The present IPSEC does in fact, break the network architecture.

Given that there are real implementations of IPSEC for fairly standard
operating systems like 4.4BSD, and that people are, today,
successfully moving around IPSEC packets on the real live internet,
I'm rather unsure as to why we should be paying attention to your
continued claims that the whole thing can't possibly work.

Perry

Message-Id: <199608301606.MAA04664@jekyll.piermont.com>
To: "M.C.Nelson" <netsec@panix.com>
Cc: ipsec@TIS.COM
Subject: Re: "user" and "network layer" security. reply to respondents. 
In-Reply-To: Your message of "Fri, 30 Aug 1996 09:59:49 EDT."
Reply-To: perry@piermont.com
X-Reposting-Policy: redistribute only with permission
Date: Fri, 30 Aug 1996 12:06:30 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk

"M.C.Nelson" writes:
> The transport layer doesn't have "user" either.

Gee, Mr. Nelson, so I suppose all those telnet sessions I've done over
the years were just an illusion, eh? After all, since the transport
layer has no notion of user, there is no way for the transport layer
to direct data to a particular process, so Telnet can't possibly be
implemented, not to mention SMTP. In fact, this mail message is an
illusion.

Perry

Follow-Ups:

Re: "user" and "network layer" security. reply to respondents.

From: "M.C.Nelson" <netsec@panix.com>

References:

Re: "user" and "network layer" security. reply to respondents.

From: "M.C.Nelson" <netsec@panix.com>

Prev by Date: Re: Patents by Sun?
Next by Date: Re: OAKLEY/ISAKMP/SKIP design group
Prev by thread: Re: "user" and "network layer" security. reply to respondents.
Next by thread: Re: "user" and "network layer" security. reply to respondents.
Index(es):
- Main
- Thread