[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use IPSEC as SSH replacement

To: IP Security List <ipsec@tis.com>
Subject: Re: Use IPSEC as SSH replacement
From: Henry Spencer <henry@spsystems.net>
Date: Tue, 1 Dec 1998 13:39:06 -0500 (EST)
In-Reply-To: <36642959.3F84AF3F@redcreek.com>
Sender: owner-ipsec@ex.tis.com

On Tue, 1 Dec 1998, Scott G. Kelly wrote:
> It seems that one of the greatest impediments to this is the perceived
> vulnerability of the channel between the application and the ipsec
> layer...

Unfortunately, in the most severely general case, this problem is beyond
solution... because in a system with the classical user/kernel split, any
hostile software which can intervene at the kernel level can also inspect
and change the code and data of the application itself, defeating *any*
application-level safeguards.  It seems to me that there is little hope of
defending the application against a sophisticated attack mounted from
within the kernel it is running on.  Effective defences have to be placed
further out, defending the kernel against intrusion.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)

References:

Re: Use IPSEC as SSH replacement

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: Re: Use IPSEC as SSH replacement
Next by Date: RE: Use IPSEC as SSH replacement
Prev by thread: Re: Use IPSEC as SSH replacement
Next by thread: RE: Use IPSEC as SSH replacement
Index(es):
- Main
- Thread