[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: transport vs network and ipsec syn

To: ipsec@tis.com
Subject: Re: transport vs network and ipsec syn
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Mon, 03 Mar 1997 14:16:09 +0200
CC: parkosar@pb.com
In-reply-to: Your message of "Fri, 28 Feb 1997 13:15:23 EST." <9701288571.AA857165346@smtppc.ct.pb.com>
Sender: owner-ipsec@ex.tis.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Arthur" == Arthur Parkos <parkosar@pb.com> writes:
    Arthur> - it's not guaranteed that all connections will be
    Arthur> attempted with ipsec authentication
    Arthur> instantiated. therefore a host will still need to respond
    Arthur> to the request for a connection. or will a host refuse all

  Refusing non-authenticated connections is a matter of local policy.
I expect many sites to start doing this. One way would that authenticated
connections would get priority over non-authenticated connections when
it comes to resource allocations. Or there would be seperate pools.

    Arthur> connect attempts from non-ipsec host.  - if ipsec is
    Arthur> implemented, the host will still need to perform an
    Arthur> authentication on the potential partner which would eat

  The key management protocols have been carefully designed to deal 
with this. 

    Arthur> cpu cycles.  - if ipsec is there, the host receives the
    Arthur> connect attempt and retrieves the address, so what if it
    Arthur> was signed.  couldn't a bad entity sign fake ip addresses
    Arthur> and then send them on to a potential host to be attacked?

  Yes, it might cost CPU cycles. Denial of service attacks are very 
difficult to prevent. The best that I think we can do is to assure that
existing connections will still get their fair share of CPU.

    Arthur> - when will the infrastructure be in place so that a host
    Arthur> can authenticate a connection attempt from the myriad
    Arthur> potential connectees where certificates may have been
    Arthur> issued by different certificate authorities

  Different CA's? This sounds like a certificate management problem,
and I suggest we take this to SPKI or PKIX.

]   Temporarily located in balmy Helsinki, Finland, at SSH      | one quark   [
]  Michael Richardson, Sandelman Software Works, Ottawa, ON     | two quark   [
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ | red q blue q[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBMxrA/MmxxiPyUBAxAQGbyAL8DqhCtS6COfjUW7IUPEKuXKUHNs0OUL60
qCyTQb4QCbgKaNqFi5MeChsBz0oOAUO+jOKlh29Dz6vhXKK/aMEpNN3Dzb453QXP
N0wNrw+5AfROqxkn4cMnXHgsi0yZk7vc
=ser4
-----END PGP SIGNATURE-----

Prev by Date: Re: TO COMPRESS OR NOT TO CMPRS (please reply)
Next by Date: Re: TO COMPRESS OR NOT TO CMPRS (please reply)
Prev by thread: Re: TO COMPRESS OR NOT TO CMPRS (please reply)
Next by thread: Re: transport vs network and ipsec syn
Index(es):
- Main
- Thread