[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Use IPSEC as SSH replacement

To: Stephen Kent <kent@bbn.com>
Subject: Re: Use IPSEC as SSH replacement
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Wed, 02 Dec 1998 13:52:30 -0500
cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

In message <v04011702b28b0c01dcbd@[128.89.0.110]>, Stephen Kent writes:
>Steve,
>
>>The issue with IPSEC is the granualarity of protection.  In particular,
>>if host-level or gateway-level protection is used, how can an application
>>request some minimum level of protection, find out what is in fact being
>>used, and look at the certificate presented.  For many purposes, a replacemen
>t
>>for ssh would need these abilities.
>
>In a native host implementation, an application can determine what IPsec
>services are applied to each data stream.  The only real issue is the API
>for doing this, and I thought PFKey was a step in that direction.
>Certainly one cannot have the same sort of application control in a BITS or
>BITW or security gateway implementation, but that's not an IPsec limitation
>per se, but a result of all of the IPsec implementation options vs. the
>more limited options available for an application layer security protocol.

Precisely.  As for PFkey -- Dan and I have talked at some length about the
requirements for an advanced API.  But there's still a lot more to be done.

Prev by Date: RE: Minor Security issues regarding Kb rekeying
Next by Date: Re: Minor Security issues regarding Kb rekeying
Prev by thread: Re: Use IPSEC as SSH replacement
Next by thread: Some possible discussion items on "PKI Requirements"
Index(es):
- Main
- Thread