SORT BY:

LIST ORDER
THREAD
AUTHOR
SUBJECT


SEARCH

IPS HOME


    [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

    RE: IPSEC target and transport mode



    
    Dear IPS Chair,
    
    It does not seem like you yourself are happy about the outcome of the Tunnel
    vs. Transport
    debate, but are compelled to reach that decision due to time(?) pressure :-)
    I request that we
    seek advise from Jeffery Schillers, Steve Bellovin and possibly saag just
    one ... more time. 
    I would like to hear their wisdom.
    
    I believe the IPS security effort started with the following:
    
      A. Prime Directive: IPS Security MUST be implemented. It should be
    "end-to-end".
    
          Why? Jeffery Schillers
    http://www.ietf.org/internet-drafts/draft-ietf-saag-whyenc-00.txt
    
      Implications : 1) Anything less than end-to-end is outside the scope of
    IPS security,
                              hence should not be specified by this WG. In fact,
    it is orthogonal.
                              Ideally, one ought to implement "additional"
    nested tunnel for VPN, 
                              firewall etc. over and above end-to-end.
                          2) It is fair game to implement less than end-to-end (
    firewall, gateway etc.) 
                              in lieu of end-to-end, if their customers are
    happy with it. There is 
                              no need to claim compliance with "IPS security" in
    that case. The WG 
                              should not encourage this usage, if it still
    believes in the above 
                              "prime directive".
    
      B. RFC2401 says "MUST implement" TRANSPORT to enable end-to-end and "MUST
           implement" TUNNEL for security gateway. Obviously, a host(IP end
    point) has 
           to "MUST implement" both TUNNEL and TRANSPORT since it has to do
    both.
    
      Implication of A + B : Applying the "prime directive" along with RFC2401,
    the subset of
      requirements we can rationally come up with is the following:
    
             Right Option : "MUST implement" TRANSPORT, "SHOULD use" TRANSPORT
    
             OK Option    : "MUST implement" TRANSPORT, "SHOULD use" TRANSPORT
                                  "MAY implement" TUNNEL with additional
    qualifier that the SA's
                                  have to be end-to-end, outer=inner, ... etc
    
             Tolerable Option : "MUST implement" TUNNEL and TRANSPORT with the
    above 
                                        qualifier for TUNNEL.
    
       The security enthusiasts graciously and unanimously accepted the
    "tolerable option" at 
       Huntington Beach. Yet we are now in this last hour muddle with:
    
              Wrong Option : "MUST implement" TUNNEL and "MAY implement"
    TRANSPORT.
                                     I hope we have all the TUNNEL qualifiers to
    enforce end-to-end.
    
       ... and the clock is ticking ...
    
       From your minutes ..., I am wishfully interpreting (pardon me for this
    :-) Steve Bellovin 
       as saying:
       "IPsec Encapsulation:  Tunnel MUST, Transport MAY" is "OK" 
      ... if we have a _strong_ and _compelling_ technical reason 
      to violate RFC2401. Otherwise, complying with RFC2401 is the
      right thing to do.
    
      I am not saying that tunnel can not be used for end-to-end. I do sometimes
    drive my
      cement truck to work :-)
    
      My worry is that this "Wrong Option" is actually a Trojan horse that will
    undermine and
      kill the spirit behind the "prime directive". If flexibility of allowing
    non-end-to-end is what 
      we really desire, we might as well disband the IPS Security WG and require
    "should 
      implement security in any which way that suits the application"( pardon me
    for the 
      sarcasm :-). If you read some of the recent emails from yourself, John
    Huffurd, Paul Koning
      where you are describing how one may want to use "IPS security" for
    not-end-to-end, you 
      are inadvertently falling prey to that Trojan horse and alluding to the
    degeneration of the 
      "prime directive" :-)
    
      From my understanding, all the technical arguments "for" TUNNEL have been
    addressed
      and all shot down, including the original concern about FCIP being thought
    of as gateway
      while it actually is an IP-end-point.
    
      What remains then is "how do I grow the market for existing VPN, firewall
    like devices ?" :-)
      As per the prime directive, we do not prescribe it for securing iSCSI
    connection. Period. We 
      could however, secure flows as usual (outside the scope of IPS security),
    as may be required 
      by customers. Existing devices that address end-point-security per RFC2401
    are already 
      OK. I believe that IP Storage security need is going to boost the need for
    VPN and  firewall 
      devices anyway and allow the security players to address this yet another
    market segment 
      with low cost solutions :-) :-)
      
      Without getting into implementation details, as an implementer of
    multi-Gig silicon, I can
      assure you that implementing security gateway is a very expensive problem
    compared to 
      end-point security which can be implemented as part of a highly integrated
    silicon. Cost 
      is after all one of the big reasons why we are here talking about iSCSI.
    Granted, most
      implementation/security complexities are around stuff like yIKEs!
    
      Regarding consensus ..., is it possible that most of the "tunnel"
    enthusiasts 
      a) do not want to see security as part of IPS anyway, and/or
      b) want security, but not end-to-end.
      That can explain how we went from "unanimous" to 8-to-20_that_just_flipped
    :-)
      It seems reasonable to filter out their votes when it comes to vote on
    this issue  :-)
      On the list, I do not see any strong argument for straying away from
    RFC2401.
    
      I am not an idealist... But I do not see any strong and compelling reason
    to mutate
      a working RFC2401 at this late hour, esp. when it hurts performance,
    frustrates
      OS partners and dilutes the spirit behind the very purpose of IPS
    security.
    
    -Shridhar Mukund
    
    David: I did not want to post this on saag without your permission
    considering the time
    pressure we are under. You, Jeffery or Steve may choose to do so, if
    required.
      
    
                           
    
    


Home

Last updated: Fri Apr 05 17:18:21 2002
9532 messages in chronological order