[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH (without ESP) on a secure gateway

To: ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Wed, 04 Dec 1996 18:04:44 -0500
In-reply-to: Your message of "Tue, 03 Dec 1996 23:58:30 EST." <199612040458.XAA18260@raptor.research.att.com>
Sender: owner-ipsec@ex.tis.com

[this may be a repeat. Emacs crashed.]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Steven" == Steven Bellovin <smb@research.att.com> writes:
    Steven> mode.  To do otherwise is inviting trouble.  In fact, I
    Steven> had thought that was what was done -- no other possibility
    Steven> had occurred to me.

  Are you suggesting we need specific wording in the drafts?

    Steven> There's a second issue that has come up here -- how does
    Steven> one know which the right firewall is?  This is one of the

  I favour a firewall discovery system. ICMP Admin denied messages can
provide the right info. I am not certain if this is workable, since I
haven't been able to prototype it all. (And no longer have the funding
to even try.)

    Steven> points I raised at the last IETF meeting; in my opinion,
    Steven> it's very closely related to the naming issue and the
    Steven> certificate issue, and we haven't really tackled either of
  
  I am retrieving your slides. [how do you get the AT&T logo inside of
slidex? Cool.] The problem I see is that there may be different
firewalls involved. Both firewalls in parallel and firewalls in
series.
  While this doesn't sound very likely very soon with most current
application layer firewalls, Checkpoint has announced state-sharing
facilities. It could be a different firewall that is involved each
time! Should the encryption state be shared too? Maybe. Maybe not. 
  Firewalls in series are more interesting. I expect to see this. I am
seeing this.
  
  The best system I can imagine is one where an end node is provided
with a certificate, signed by its intended destination stating that
"firewall X is a legitimate firewall for me". The local node will also
need to be able to recognize a certificate from a local authority
saying "firewall Y is a legitimate firewall to get to 0.0.0.0/0"
 
   (local node)-------- Y --------- X ------- (end node)

  The SPKI groups' proposal has the notion of cache certificate that
could reduce a series of statements into single self-signed certificate.

   :!mcr!:            |  Network security consulting and 
   Michael Richardson |      contract programming
 WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQBVAwUBMqW1dtTTll4efmtZAQFF/gH/VzzF8DFKLgRbWYZGUecEkcCFCbiKz/ee
bC3GQX0/IKYVIceV9sIV2HYn+bXlb454bzwCuhn90q1ytlVr1kwNNg==
=51h3
-----END PGP SIGNATURE-----

References:

Re: AH (without ESP) on a secure gateway

From: Steven Bellovin <smb@research.att.com>

Prev by Date: RE: SA, Proposal and Transform payloads
Next by Date: Re: AH (without ESP) on a secure gateway
Prev by thread: Re: AH (without ESP) on a secure gateway
Next by thread: Re[2]: AH (without ESP) on a secure gateway
Index(es):
- Main
- Thread