IETF Logo Mail Archive

Re: AH (without ESP) on a secure gateway

Michael Richardson <mcr@sandelman.ottawa.on.ca> Wed, 04 December 1996 23:10 UTC

Received: from cnri by ietf.org id aa06846; 4 Dec 96 18:10 EST
Received: from portal.ex.tis.com by CNRI.Reston.VA.US id aa24225; 4 Dec 96 18:10 EST
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id SAA27861 for ipsec-outgoing; Wed, 4 Dec 1996 18:03:00 -0500 (EST)
Message-Id: <199612042304.SAA02239@amaterasu.sandelman.ottawa.on.ca>
To: ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
In-reply-to: Your message of "Tue, 03 Dec 1996 23:58:30 EST." <199612040458.XAA18260@raptor.research.att.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <2236.849740683.1@amaterasu.sandelman.ottawa.on.ca>
Date: Wed, 04 Dec 1996 18:04:44 -0500
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

[this may be a repeat. Emacs crashed.]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Steven" == Steven Bellovin <smb@research.att.com> writes:
    Steven> mode.  To do otherwise is inviting trouble.  In fact, I
    Steven> had thought that was what was done -- no other possibility
    Steven> had occurred to me.

  Are you suggesting we need specific wording in the drafts?

    Steven> There's a second issue that has come up here -- how does
    Steven> one know which the right firewall is?  This is one of the

  I favour a firewall discovery system. ICMP Admin denied messages can
provide the right info. I am not certain if this is workable, since I
haven't been able to prototype it all. (And no longer have the funding
to even try.)

    Steven> points I raised at the last IETF meeting; in my opinion,
    Steven> it's very closely related to the naming issue and the
    Steven> certificate issue, and we haven't really tackled either of
  
  I am retrieving your slides. [how do you get the AT&T logo inside of
slidex? Cool.] The problem I see is that there may be different
firewalls involved. Both firewalls in parallel and firewalls in
series.
  While this doesn't sound very likely very soon with most current
application layer firewalls, Checkpoint has announced state-sharing
facilities. It could be a different firewall that is involved each
time! Should the encryption state be shared too? Maybe. Maybe not. 
  Firewalls in series are more interesting. I expect to see this. I am
seeing this.
  
  The best system I can imagine is one where an end node is provided
with a certificate, signed by its intended destination stating that
"firewall X is a legitimate firewall for me". The local node will also
need to be able to recognize a certificate from a local authority
saying "firewall Y is a legitimate firewall to get to 0.0.0.0/0"
 
   (local node)-------- Y --------- X ------- (end node)

  The SPKI groups' proposal has the notion of cache certificate that
could reduce a series of statements into single self-signed certificate.

   :!mcr!:            |  Network security consulting and 
   Michael Richardson |      contract programming
 WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQBVAwUBMqW1dtTTll4efmtZAQFF/gH/VzzF8DFKLgRbWYZGUecEkcCFCbiKz/ee
bC3GQX0/IKYVIceV9sIV2HYn+bXlb454bzwCuhn90q1ytlVr1kwNNg==
=51h3
-----END PGP SIGNATURE-----

v2.29.0 | Report a Bug | By Email | System Status