Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
"Howard C. Berkowitz" writes:
> Let me try to rephrase. Yes, I have read the spec and understand these
> modes are present. I am raising concerns about the applicability of these
> modes, since some significant user communities have insisted on
> host-to-host, a technique that can complicate administration and make it
> extremely difficult to use some infrastructure techniques such as
> NAT.
These user communities want their connections to be secure. There is
no point in paying the CPU expense encryption brings if you aren't at
least going to have benefit out of it. If one is going to share one's
keys with lots of routers, one might as well just have one's CPU spin
wait instead -- that is, as you know, easily exportable, and legal in
France.
> The issue of a trusted NAT has been dismissed by some.
Because "trusted NAT", meaning "share your encryption keys with your
routers" is like "military intelligence" or "congressional
oversight", perhaps?
Yes, I've heard some people seriously suggest having half the routers
on the internet share your encryption keys. I leave it to the sensible
readers to figure out why this isn't a good idea.
Perry
Note Well: Messages sent to this mailing list are the opinions
of the senders and do not imply endorsement by the IETF.
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
