Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard

To: "Howard C. Berkowitz" <hcb at clark.net>, Stephen Kent <kent at bbn.com>
Subject: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
From: Robert Moskowitz <rgm-ietf at htt-consult.com>
Date: Tue, 31 Mar 1998 14:52:32 -0800
Cc: ietf at ns.ietf.org
Delivery-date: Wed, 01 Apr 1998 01:41:57 -0500
In-reply-to: <v0300780fb146a6dbf983@[142.154.136.3]>
References: <v03110703b146bda06a02@[128.33.238.131]> <v03007802b146019564cb@[142.154.136.3]> <35207D29.4E146A86@erols.com> <199803310056.TAA04910@thunk.orchard.arlington.ma.us>

At 02:08 PM 3/31/98 -0500, Howard C. Berkowitz wrote:

>Let me try to rephrase.  Yes, I have read the spec and understand these
>modes are present.  I am raising concerns about the applicability of these
>modes, since some significant user communities have insisted on
>host-to-host, a technique that can complicate administration and make it
>extremely difficult to use some infrastructure techniques such as NAT.  The
>issue of a trusted NAT has been dismissed by some.  

There are some cases where a trusted NAT can be used, and I have covered it
in some of my presentations (and soon writings).  However, there are cases
where there can be no trust delegated to an intermediate system, even in
corporate america (ie this is not just a DOD issue).  

End to End needs to be supported.  ESP tunnel mode seems to be able to
traverse a NAT, but IKE may well have problems setting up a SPI for such a
connection.

I'd simply like to see
>more security analysis alternatives in the document or referenced by it.
>Otherwise, I have the sense of several working groups each saying "this is
>our protocol/mechanism and it's irrelevant how other mechanisms interact
>with it."
>
>
>
>

References:
- Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
  - From: Stephen Kent
- Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
  - From: Howard C. Berkowitz
- Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
  - From: Alan Blair
- Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
  - From: Bill Sommerfeld
- Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
  - From: Howard C. Berkowitz

Prev by Date: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Next by Date: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Previous by thread: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Next by thread: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.