[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Last Call: Security Architecture for the Internet Protocol to Proposed Standard

To: "'Phil Karn'" <karn@qualcomm.com>, jgc@optimal.com
Subject: RE: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
From: Peter Ford <peterf@microsoft.com>
Date: Fri, 27 Mar 1998 10:47:06 -0800
Cc: pkoning@xedia.com, iesg@ns.ietf.org, minshall@fiberlane.com, ipsec@tis.com, ietf@ns.ietf.org
Sender: owner-ipsec@ex.tis.com


Phil

At least one company is planning on shipping a high volume product that
makes it easy to use IPSEC end to end in transport mode.  I note there are
other end system companies who are already shipping IPSEC in this manner.
Over time I expect that E2E will be the dominant model.  In the mean time I
agree with your observation that Tunnel mode dominates.

Your proposed partitioning does not solve the problem the SNOOP guys have on
the public network where they want a proxy at the base station (public side)
to massage and manipulate packets based on TCP seq #s to better accomodate
losses and handoffs of mobile stations. 

We could probably have an interesting debate as to whether SNOOP is the best
way to go...

cheers, peter



> -----Original Message-----
> From:	Phil Karn [SMTP:karn@qualcomm.com]
> Sent:	Thursday, March 26, 1998 11:11 PM
> To:	jgc@optimal.com
> Cc:	pkoning@xedia.com; iesg@ns.ietf.org; minshall@fiberlane.com;
> ipsec@tis.com; ietf@ns.ietf.org; karn@qualcomm.com
> Subject:	Re: Last Call: Security Architecture for the Internet
> Protocol to Proposed Standard
> 
> >The issue that Greg brings up is very important.  My company relies on
> >port information heavily for analysis of protocols and applications and
> >if this information is obscured it becomes difficult to accurately
> >report on the different applications that are running.
> 
> IPSEC is most often implemented on border routers between private
> subnets and the public Internet to protect inter-subnet traffic
> between hosts that can't protect themselves on an end-to-end
> basis. (It seems less likely that IPSEC will replace existing
> end-to-end encryption mechanisms like PGP, SSH and SSL where they are
> already implemented.)
> 
> In such "tunnel" configurations, the packets are still available in
> plaintext within the private networks, where they can be monitored and
> debugged by the operators of those networks. Similarly, any
> information needed by the subnet's internal and border routers for
> traffic classification is still available.  Only the external, public
> part of the path is encrypted.
> 
> Phil

Prev by Date: Re: Last Call: Security Architecture for the Internet Protocol to
Next by Date: Re: updated draft-ietf-ipsec-ciph-cbc-03.txt
Prev by thread: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Next by thread: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Index(es):
- Main
- Thread