Re: transport-friendly ESP

["Marcus Leech" <mleech@nortelnetworks.com>]

Alex Alten wrote:
> 
> Frank,
> 
> However having said all that, I do agree that it will be
> a long time before the core routers would do any crypto.
> 
Jumping in in the middle here:

Why should core routers do any significant crypto?  Apart from the
  peeking-in-so-I-can-do-stuff requirements of Steve Bellovins tf-esp
  proposal, I can't see why they'd need to be a party to any security
  association.

Even if we have blazing-fasting algorithms that could reasonably
  be put in a core router, I can't really see the need.  My security
  requirements are end to end, and I'll be damned if I'll let some
  ISP I know nothing about, run by a pimply-faced teenage moron, be
  a party to my security associations.  To have all the core routers
  be a party to security associations is to reduce the security
  of the internet to what is in the (virtual) copper world of
  today.

Core routers WILL do crypto, but not because they need to provide
  decrypt--do-some-stuff--encrypt services to client data streams.
  They'll do crypto because that's the only secure way to manage them
  over the network--a very much lower bandwidth requirement than
  handling crypto on client data streams.


-- 
----------------------------------------------------------------------
Marcus Leech                             Mail:   Dept 8M70, MS 012, FITZ
Systems Security Architect               Phone: (ESN) 393-9145  +1 613 763 9145
Security and Internet Solutions          Fax:   (ESN) 395-1407  +1 613 765 1407
Nortel Technology              mleech@nortel.ca
-----------------Expressed opinions are my own, not my employer's------

---

References:

• Re: transport-friendly ESP
• From: Alex Alten <Alten@home.com>

---

• Prev by Date: My IPSec MIB structuring motivations
• Next by Date: A question about re-keying
• Prev by thread: Re: transport-friendly ESP
• Next by thread: Re: transport-friendly ESP
• Index(es):
  • Main
  • Thread