Re: Use IPSEC as SSH replacement

[Stephen Kent <kent@bbn.com>]

Steve,

>The issue with IPSEC is the granualarity of protection.  In particular,
>if host-level or gateway-level protection is used, how can an application
>request some minimum level of protection, find out what is in fact being
>used, and look at the certificate presented.  For many purposes, a replacement
>for ssh would need these abilities.

In a native host implementation, an application can determine what IPsec
services are applied to each data stream.  The only real issue is the API
for doing this, and I thought PFKey was a step in that direction.
Certainly one cannot have the same sort of application control in a BITS or
BITW or security gateway implementation, but that's not an IPsec limitation
per se, but a result of all of the IPsec implementation options vs. the
more limited options available for an application layer security protocol.

Steve

---

Follow-Ups:

• Re: Use IPSEC as SSH replacement
• From: Dan McDonald <danmcd@Eng.Sun.Com>

References:

• Re: Use IPSEC as SSH replacement
• From: "Steven M. Bellovin" <smb@research.att.com>

---

• Prev by Date: Re: Use IPSEC as SSH replacement
• Next by Date: Re: Use IPSEC as SSH replacement
• Prev by thread: Re: Use IPSEC as SSH replacement
• Next by thread: Re: Use IPSEC as SSH replacement
• Index(es):
  • Main
  • Thread