[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Use IPSEC as SSH replacement
Steve,
>The issue with IPSEC is the granualarity of protection. In particular,
>if host-level or gateway-level protection is used, how can an application
>request some minimum level of protection, find out what is in fact being
>used, and look at the certificate presented. For many purposes, a replacement
>for ssh would need these abilities.
In a native host implementation, an application can determine what IPsec
services are applied to each data stream. The only real issue is the API
for doing this, and I thought PFKey was a step in that direction.
Certainly one cannot have the same sort of application control in a BITS or
BITW or security gateway implementation, but that's not an IPsec limitation
per se, but a result of all of the IPsec implementation options vs. the
more limited options available for an application layer security protocol.
Steve
Follow-Ups:
References: