[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: transport-friendly ESP [hop-by-hop encryption ]

To: Alten@home.com
Subject: Re: transport-friendly ESP [hop-by-hop encryption ]
From: Markku Savela <msa@anise.tte.vtt.fi>
Date: Mon, 1 Feb 1999 15:37:18 +0200 (EET)
CC: ipsec@tis.com
In-reply-to: <3.0.3.32.19990201014156.00b23290@mail> (message from Alex Alten on Mon, 01 Feb 1999 01:41:56 -0800)
Reply-to: msa@hemuli.tte.vtt.fi (Markku Savela)
Sender: owner-ipsec@ex.tis.com

I've some difficulty in seeing what significant advantage would blind
hop-by-hop IPSEC encryption of transit traffic serve (co-operating
SG's are also end-to-end in a way). Without end-to-end IPSEC, an
eavesdropper would only need to find one weak router on the path to
break the security. So why waste resources for something that doesn't
provide much utility? Am I missing something?

However, I suppose every additional security does not hurt either, if
someone wants to assign the resources.

It would protect one link, but would anyone trust that their packets
always take a route where all hops are protected and routers secure?
If I have sensitive data, I would use end-to-end protection.

Of course, for connecting to the router box for maintenance and other
similar purposes, IPSEC is the right thing again.

(As to transport-friendly ESP, I feel kind of "violated" if some
random router peeks inside my packets, so I prefer ESP as is :-)
-- 
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/

References:

Re: transport-friendly ESP

From: Alex Alten <Alten@home.com>

Prev by Date: Where should be the CERT payload in IKE ?
Next by Date: Re: New IPSec Monitoring MIB draft
Prev by thread: Re: transport-friendly ESP
Next by thread: Re: transport-friendly ESP
Index(es):
- Main
- Thread