[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SAs that carry fragments Was: Re: Some IKEv2 issues

To: "'Stephen Kent'" <kent@bbn.com>, "'Tero Kivinen'" <kivinen@iki.fi>
Subject: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
From: "Bora Akyol" <bora@cisco.com>
Date: Fri, 20 Feb 2004 08:57:53 -0800
Cc: "'Barbara Fraser'" <byfraser@cisco.com>, "'Charles Lynn'" <clynn@bbn.com>, <ipsec@lists.tislabs.com>
Importance: Normal
In-reply-to: <p06020404bc5bce7aefa2@[128.89.89.75]>
Sender: owner-ipsec@lists.tislabs.com


> We've had analogous debates on this before.  IPsec is NOT just a VPN 
> technology and our specs ought not be VPN-specific. I have certainly 
> advised folks to use port selectors for tunnels under certain 
> instances, e.g., to restrict traffic to a server to be traffic of the 
> sort appropriate to that server, based on the well known ports 
> associated with the service.
> 
> Steve
> 

Thanks for your comments,

I have a few questions:

1) In the MPLS working group, there has been
a lot of input from users/producers of the technology that has
made critical contributions to the original set of specifications
and for the better. So I think if there is input from the field
and not just one vendor/person that port selectors are not widely used
then the IPSEC WG may want to keep an open mind/ear. Yes, the
implementation
must not direct proper protocol design, OTOH, the protocol designers
may benefit from the field experience. I have on a separate email
submitted a definition of traffic selectors that I hope is flexible
enough
to accommodate both schemes. 

2) Although it sounds really interesting to let applications decide
which ports
they want to use and how they want to secure them, there are a few
issues.
     a) The system admin that decides the security policy may be a
different person
     from the application author. Moreover, the application author may
in fact have
     a hidden agenda in passing the data over a less secure channel than
the system
     policy allows. In order to settle this difference of SP, a properly
designed
     socket layer API needs to exist. However, even though port
selectors have been
     in IKE/IPSEC for at least 5-6 years, is there a such a socket API?
If there is
     no such socket API, then does this mean that the proposed
application is not
     important enough to the field so that it should be specified as an
**optional**
     feature.
     b) Even if such a socket API existed, the user environment in most
OSs allows
     applications to be tunneled via a different port (like HTTP
proxies), so it is
     quite easy to circumvent the system policy for a malicious user if
the policy
     was specified for ports alone. In fact, I believe there is an
implementation of
     IP over DNS that exists.

I think based on these, one can argue that even for transport mode, the
safest security
configuration for hosts is one that specifies less and secures more.

Thank you for reading and your comments,

Regards

Bora
ps. As in all IETF lists, these are my opinions and not my employer's!

References:
- RE: SAs that carry fragments Was: Re: Some IKEv2 issues
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by Date: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Previous by thread: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by thread: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Index(es):
- Date
- Thread