-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Kent wrote: > At 7:43 AM -0800 2/17/06, Joe Touch wrote: > >> Content-Type: multipart/signed; micalg=pgp-sha1; >> protocol="application/pgp-signature"; >> boundary="------------enig684BFD82142EDE85608F2E7E" >> >> >> >> Stephen Kent wrote: >> .... >> >>> ...I also said that one could use SSL to address some (though not >>> all) of the use cases that were put forth as motivations for BTNS, >>> but that is out of scope for this WG, based on its current charter. >> >> >> Since this point has been raised on repeated occasions: >> >> BTNS was motivated by the need to protect the network and transport >> headers. Connection-disruption attacks (RST attacks in specific, which >> also include ACK and other transport header attacks) were >> the primary case, and SSL does not protect against those. The ability to >> reuse techniques across different transport and higher layers was also >> sought, and for SSL again does not apply. >> >> Joe > > Joe, > > As I noted elsewhere in that message from which you extracted the quote, > there are multiple, distinct constituencies for BTNS. Not all of them > have the requirement you cite above re protection against transport > layer attacks. So, it is inappropriate to make a broad statement about > BTNS motivations without acknowledging this diversity. Whatever BTNS is _now_ motivated by, it WAS motivated by the need for transport protection in the absence of a-priori keys (infrastructure or predeployed). As to the reasons you cited in your original quote: 1- performance 2- security of the software system 3- lower layer can be done elsewhere in the system 3- using BTNS as a place to explore split-layer security For which of these would SSL address a BTNS use case? > Also, SSL/TLS now is defined to support UDP, so the traditional argument > about needing to use IPsec to accommodate other than TCP is no longer > valid. There are more transport protocols than just TCP and UDP. See http://www.iana.org/assignments/protocol-numbers for a complete list ;-) Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD+2lxE5f5cImnZrsRAsyIAJ4zGH4/l8wo3b0PJANqKs9BXL+IlACg8PfL mNbTiDFmMeS9XKceZCuETys= =2UHC -----END PGP SIGNATURE-----
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.