[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Isis-wg] Re: Deprecation of AH header from the IPSEC tool kit
At 14:43 19/06/00 , Paul Koning wrote:
>Fair enough. It's common enough to put a security gateway in the same
>box as a firewall. For example, our own Access Point products do that
>today. Then again, they do that with ESP, which does all that is
>needed for this application.
Your assertion that "ESP does all that is needed" is not really true.
ESP does nothing if the security policy requires authentication of
anything that is an IP-layer option or header (and please consider
that the current set of options/headers will be expanded over time
in ways that none of us can predict). As noted earlier, the current
set of security gateways generally do not provide very high assurance
levels with respect to the IP packets.
>Huh? I see nothing of that in RFC 2402. In any case, given the
>performance (or rather, lack thereof) of digital signatures, it's
>unlikely that any extensions to AH or ESP to use digital signatures on
>a per-packet basis would see any significant use.
It is true that digital signature creation can be compute intensive
today on general purpose hardware.
However, I will also note some folks are meeting this week about the use
of digital signatures to protect routing protocols. Several major
Tier-1 ISPs and routing vendors will be participating. So clearly
there are a set of folks (both users and implementers) who think
that there might well be an interesting applicability domain
for digital signatures (whether or not those are digital signatures
in AH) in the operational Internet.
Ran
rja@inet.org
References: