[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

policy versus protocol

To: ipsec@tis.com
Subject: policy versus protocol
From: "William Allen Simpson" <wsimpson@greendragon.com>
Date: Mon, 28 Apr 97 15:50:24 GMT
Sender: owner-ipsec@ex.tis.com

> Date: Wed, 23 Apr 1997 13:00:19 -0400
> From: ho@earth.hpc.org (Hilarie Orman)
> I'd thought the goal of the group was to protect the Internet
> environment, i.e. an active attack environment.  Thus, it seems to me
> that leaving integrity as an administrator option is contrary to the
> charter of the group.
>
Nobody is talking about leaving _anything_ to an administrator.  We are
talking about how to make a _protocol_ specification (bits on a wire)
generic enough to handle current and future needs.


> The conditions for safely dispensing with integrity are very narrow,
> i.e. one of
>
> 	1. Physical impossibility of active attacks (NB analysis must be
> 	   end-to-end)
> 	2. Encryption method has strong internal integrity (not DES)
> 	3. Connection limited to use by applications with strong
> 	   internal integrity
> 	4. Attacker can never know or guess ciphertext/plaintext pairs
> 	   from observed traffic
>
This is good (although I'd put #2 first), and should be in the
architecture document!

Then, implementors can read the architecture to decide what threat
scenarios apply to their product.

This is supposed to be a protocol Working Group, not a policy debate
group.  Document the applicability, and let the implementors make the
choices....  For example, only the implementor knows whether the
encryption method includes integrity.

WSimpson@UMich.edu
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
    Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

Prev by Date: Re: notes from developer's portion of IETF meeting
Next by Date: policy versus protocol
Prev by thread: Re: PMTU/DF issues
Next by thread: policy versus protocol
Index(es):
- Main
- Thread