Re: IKE must have no Heirs

[Rick Smith at Secure Computing <rick_smith@securecomputing.com>]

At 02:28 AM 8/7/2001, Alex Alten wrote:

>I second the motion. And also propose no port number (i.e. do the new
>one over raw IP).

There is a benefit to this approach if, in some future universe, we ever 
try to implement a protocol stack using least privilege to maximize 
security assurance. It gives us an easy way of putting all parts of IPsec 
within the same trust boundary and of keeping it better separated from 
other protocol processing.

Otherwise you are stuck with a uniform level of trust for all of the 
software in the protocol stack, crypto and non-crypto, including the 
mechanism that binds ports to processes. I know, this isn't a problem today 
because protocol stacks run in kernel mode and therefore we (have no other 
choice but to) "trust" the entire protocol stack.

It is, of course, feasible to ignore the issues of incremental trust and/or 
build additional mechanisms to bring together what is built asunder. But it 
seems cleaner, design-wise, to keep the key management close to the code 
that actually uses the resulting keys.

Rick.
smith@securecomputing.com

---

References:

• Re: IKE must have no Heirs
• From: Kory Hamzeh <kory@avatar.com>
• IKE must have no Heirs
• From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
• Re: IKE must have no Heirs
• From: Alex Alten <Alten@home.com>

---

• Prev by Date: RE: IKE must have no Heirs
• Next by Date: Re: Position statement on IKE development
• Prev by thread: Re: IKE must have no Heirs
• Next by thread: RE: IKE must have no Heirs
• Index(es):
  • Main
  • Thread