[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard



>The issue that Greg brings up is very important.  My company relies on
>port information heavily for analysis of protocols and applications and
>if this information is obscured it becomes difficult to accurately
>report on the different applications that are running.

IPSEC is most often implemented on border routers between private
subnets and the public Internet to protect inter-subnet traffic
between hosts that can't protect themselves on an end-to-end
basis. (It seems less likely that IPSEC will replace existing
end-to-end encryption mechanisms like PGP, SSH and SSL where they are
already implemented.)

In such "tunnel" configurations, the packets are still available in
plaintext within the private networks, where they can be monitored and
debugged by the operators of those networks. Similarly, any
information needed by the subnet's internal and border routers for
traffic classification is still available.  Only the external, public
part of the path is encrypted.

Phil


Follow-Ups: References: