[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard

To: Phil Karn <karn@qualcomm.com>, pkoning@xedia.com
Subject: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Date: Fri, 27 Mar 1998 09:16:36 -0800
Cc: iesg@ns.ietf.org, minshall@fiberlane.com, ipsec@tis.com, ietf@ns.ietf.org, karn@qualcomm.com
In-Reply-To: <199803270700.XAA21670@servo.qualcomm.com>
References: <9803262307.AA01547@kona.>
Sender: owner-ipsec@ex.tis.com

At 11:00 PM 3/26/98 -0800, Phil Karn wrote:
>>By creating an *option* of supplying port information to the
>>classifier, it allows a user to give up a small amount of security and 
>>gain the benefit of being classified into a different traffic category 
>>that has different (presumably better) service.  I believe this is a
>>valuable option.
>
>Other, far better-layered mechanisms already exist to categorize
>traffic with various levels of service. The TOS field in the IP header
>is the prime example. Also, policy routing based on IP source and
>destination addresses is also possible.

There is serious discussion to use TOS for DIFSRV, IPsec systems could set
TOS for this based on a DIFSRV BCP.

>IPSEC was originally designed to protect hosts on small private
>networks from the big bad public network. But it's also possible to
>use it to protect (parts of) the public network itself from all those
>hosts on private networks.  It's really a very flexible protocol.
>It just takes a little imagination and creativity in using it.

Phil, I only viewed this as a deployment issue.  It will be on all hosts in
time (thank you Peter...).  I evaluated a pre-IPsec product for our Payroll
system.  The only reason it was not done was that the systems were Win 3.1
with Novell's IP stack on ODI.  This gave the client a little too much
instablity.  We are on the hook to still secure that, now that the users
are all on Win95.  We also did an auth only implementation between some
plant robotics and the production engineers, this allowed us to eliminate
the Allen-Bradley DataHighway stuff.

As my ex-colleagues move forward on their boarder-level rollouts, they are
already chomping at the bit for end-to-end IPsec, at least auth only.  the
reason is IPsec in gateway mode has to trust the hosts' IP addresses, but
idea when you don't control the client's network.

Oh, I should mention that my interest from day 1 was not intra-corporate
VPNs, but rather inter-corporate VPNs.  these are much more needed....

The number of industries that are talking to me about how they can leverage
IPsec for this use further validates my view of the use of IPsec.

Robert Moskowitz
ICSA
Security Interest EMail: rgm-sec@htt-consult.com

References:

Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard

From: Paul Koning <pkoning@xedia.com>

Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard

From: Phil Karn <karn@qualcomm.com>

Prev by Date: RE: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Next by Date: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Prev by thread: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Next by thread: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Index(es):
- Main
- Thread