RE: Last Call: Security Architecture for the Internet Protocol to Proposed Standard

[JGC <jgc@optimal.com>]

The issue that Greg brings up is very important.  My company relies on
port information heavily for analysis of protocols and applications and
if this information is obscured it becomes difficult to accurately
report on the different applications that are running.

The option to supply port information means that security can be
downgraded (i.e. the ports can be revealed) when a management
application needs to run (for troubleshooting purposes, for example) and
then can easily be switched on.  This would be a very valuable service.
In addition some devices characterize traffic priority based on ports
(and other information) and in the presence of an IPSEC packet these
devices would not work (which is of course a classic example of the
security/functionality trade off).

In addition a way to read the full packet information at an appropriate
point in the protocol stack (post decryption) will probably be important
for some vendors, or the ability to do their own decryption.

John Graham-Cumming
Optimal Networks
-----Original Message-----
From: Paul Koning [mailto:pkoning@xedia.com]
Sent: Thursday, March 26, 1998 3:07 PM
To: iesg@ns.ietf.org; minshall@fiberlane.com
Cc: ipsec@tis.com; ietf@ns.ietf.org
Subject: Re: Last Call: Security Architecture for the Internet Protocol
to Proposed Standard


I would support the concern that Greg raised.

There is an increased use of finer-grained traffic classification, in
which port numbers play a role.

It is true that, for maximum security, this information may want to be 
hidden.  Greg recognized that in his suggestion that the port number
copy in the security header could be supplied as all zero.

If the port number is concealed (either with IPSec as it is currently
defined, or with zeroed port numbers in Greg's suggestion) then a
traffic classifier would have no port information and would have to
classify all that traffic as "other" or "unknown application".  This
may be acceptable in many cases.

By creating an *option* of supplying port information to the
classifier, it allows a user to give up a small amount of security and 
gain the benefit of being classified into a different traffic category 
that has different (presumably better) service.  I believe this is a
valuable option.

	Paul Koning
	Xedia Corporation

---

Follow-Ups:

• Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
• From: "Perry E. Metzger" <perry@piermont.com>
• Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
• From: Phil Karn <karn@qualcomm.com>
• RE: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
• From: Robert Moskowitz <rgm-ietf@htt-consult.com>

---

• Prev by Date: SSH ISAKMP/Oakley interoperability test site updated to latest drafts
• Next by Date: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
• Prev by thread: RE: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
• Next by thread: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
• Index(es):
  • Main
  • Thread