[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IKE must have no Heirs
At 02:28 AM 8/7/2001, Alex Alten wrote:
>I second the motion. And also propose no port number (i.e. do the new
>one over raw IP).
There is a benefit to this approach if, in some future universe, we ever
try to implement a protocol stack using least privilege to maximize
security assurance. It gives us an easy way of putting all parts of IPsec
within the same trust boundary and of keeping it better separated from
other protocol processing.
Otherwise you are stuck with a uniform level of trust for all of the
software in the protocol stack, crypto and non-crypto, including the
mechanism that binds ports to processes. I know, this isn't a problem today
because protocol stacks run in kernel mode and therefore we (have no other
choice but to) "trust" the entire protocol stack.
It is, of course, feasible to ignore the issues of incremental trust and/or
build additional mechanisms to bring together what is built asunder. But it
seems cleaner, design-wise, to keep the key management close to the code
that actually uses the resulting keys.
Rick.
smith@securecomputing.com
References: