[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Use IPSEC as SSH replacement
In message <v04011702b28b0c01dcbd@[128.89.0.110]>, Stephen Kent writes:
>Steve,
>
>>The issue with IPSEC is the granualarity of protection. In particular,
>>if host-level or gateway-level protection is used, how can an application
>>request some minimum level of protection, find out what is in fact being
>>used, and look at the certificate presented. For many purposes, a replacemen
>t
>>for ssh would need these abilities.
>
>In a native host implementation, an application can determine what IPsec
>services are applied to each data stream. The only real issue is the API
>for doing this, and I thought PFKey was a step in that direction.
>Certainly one cannot have the same sort of application control in a BITS or
>BITW or security gateway implementation, but that's not an IPsec limitation
>per se, but a result of all of the IPsec implementation options vs. the
>more limited options available for an application layer security protocol.
Precisely. As for PFkey -- Dan and I have talked at some length about the
requirements for an advanced API. But there's still a lot more to be done.