[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use IPSEC as SSH replacement

To: "Scott G. Kelly" <skelly@redcreek.com>
Subject: Re: Use IPSEC as SSH replacement
From: "Perry E. Metzger" <perry@piermont.com>
Date: Tue, 01 Dec 1998 12:57:07 -0500
cc: ipsec@tis.com
In-reply-to: Your message of "Tue, 01 Dec 1998 09:37:29 PST." <36642959.3F84AF3F@redcreek.com>
Reply-To: perry@piermont.com
Sender: owner-ipsec@ex.tis.com

"Scott G. Kelly" writes:
> "Perry E. Metzger" wrote:
> > I had originally hoped, in fact, that IPSec would make tools like SSH
> > unnecessary by providing upper layer tools sufficient information that
> > they could simply ask the identity of the other side of any TCP
> > session from the security layer and not need to manage any
> > cryptography on their own at all. Sadly, things have not thus far
> > worked out this way, but it is not an unreasonable goal for people to
> > be striving for.
> 
> It seems that one of the greatest impediments to this is the perceived
> vulnerability of the channel between the application and the ipsec
> layer.

You presumably get information into and out of the IPSec layer via
system calls.

If you can't trust your kernel, you can't trust your own code because
the kernel can do arbitrary things to the running application,
including replacing its code on the fly. Therefore, I don't think this
is a giant issue.

Perry

References:

Re: Use IPSEC as SSH replacement

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: Re: Use IPSEC as SSH replacement
Next by Date: Re: Use IPSEC as SSH replacement
Prev by thread: Re: Use IPSEC as SSH replacement
Next by thread: Re: Use IPSEC as SSH replacement
Index(es):
- Main
- Thread