SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: Security Use Requirements



    David,
    
    Question:  Does your "mandatory-to-implement" mean
    "mandatory-to-implement-on-the-same-box", or 
    "mandatory-to-implement-on-the-same-or-different-box"?
    
    :-)
    
    IPSec security gateways are widely available now, from
    many different vendors.  Are you ruling out their use
    to fulfill the security requirement?
    
    Josh
    
    > -----Original Message-----
    > From: Black_David@emc.com [mailto:Black_David@emc.com]
    > Sent: Tuesday, February 06, 2001 3:32 PM
    > To: rja@inet.org; julian_satran@il.ibm.com
    > Cc: aboba@internaut.com; ips@ece.cmu.edu; biran@il.ibm.com
    > Subject: RE: Security Use Requirements
    > 
    > 
    > Some related clarifications:
    > 
    > >         I suspect that failing to make security mandatory-to-
    > > implement will tend to prevent the specification(s) from 
    > > ever becoming IETF standards-track RFC(s).  However, the WG
    > > can certainly *try* to slide by.
    > 
    > My original post was about mandatory-to-use, NOT
    > mandatory-to-implement.  As for making security not
    > mandatory-to-implement ... NOT on my watch ... and
    > remember that Steve Bellovin is one of the ips WG
    > co-chairs, making me a "good cop" by comparison on
    > this sort of issue ;-).
    > 
    > >         Another customary IETF position is to work on the basis that
    > > all IETF protocols are likely (in practice) to be deployed over
    > > The Global Internet.  So the threat model discussions normally
    > > MUST include those kind of threats and can't be limited to threats 
    > > on a private intranet.
    > 
    > That is also correct ... and I say that with my WG co-chair
    > hat firmly in place.  There is also language to this
    > effect in the ips WG charter.
    > 
    > It's unfortunate that Julian focussed only on integrity
    > in his response.  Going back to the Pittsburgh (summer
    > 2000) minutes, secure authentication will be mandatory to
    > implement ... so sayeth the AD.  I also believe that some
    > form of cryptographically authenticated integrity will
    > likewise be mandatory to implement (otherwise it's too
    > easy to hijack an authenticated connection).  This means
    > signed cryptographic checksums, not just CRCs (as Bernard
    > explained).  OTOH, it's not clear that confidentiality
    > will be mandatory to implement.
    > 
    > The whole point on mandatory-to-implement vs. mandatory-to-use
    > is to adapt available security technologies to the circumstances.
    > One simple example is that confidentiality is NOT mandatory-to-use
    > in IPsec, otherwise AH wouldn't exist ... and 5 demerits to anyone
    > who uses that comment as a jumping off point to open the debate
    > about whether AH should exist at all on this list.
    > 
    > I'm not sure that the statement that both IPsec and TLS
    > will be in the spec is the rough consensus of the WG at
    > this point.  I also want to caution folks that simply
    > requiring these technologies to be implemented is not
    > sufficient to address all the security issues - one example
    > for iSCSI is that something will need to be said about
    > the relationship of target names to the identities used
    > for IPsec and/or TLS authentication.  Let me point everyone
    > to Jeff Schiller's security tutorial from the San Diego
    > IETF meeting at: http://jis.mit.edu/sectutorial/  which
    > covers this and a bunch of related material on security
    > at a level that should be accessible to almost everyone.
    > 
    > Thanks,
    > --David
    > ---------------------------------------------------
    > David L. Black, Senior Technologist
    > EMC Corporation, 42 South St., Hopkinton, MA  01748
    > +1 (508) 435-1000 x75140     FAX: +1 (508) 497-8500
    > black_david@emc.com       Mobile: +1 (978) 394-7754
    > ---------------------------------------------------
    > 
    


Home

Last updated: Tue Sep 04 01:05:35 2001
6315 messages in chronological order