Re: [midcom] SIMCO with IPSec

Martin Stiemerling <stiemerling@netlab.nec.de> Thu, 04 August 2005 09:05 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0bfO-0008EX-6H; Thu, 04 Aug 2005 05:05:30 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E0bfM-0008EO-3h for midcom@megatron.ietf.org; Thu, 04 Aug 2005 05:05:28 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA14128 for <midcom@ietf.org>; Thu, 4 Aug 2005 05:05:26 -0400 (EDT)
Received: from kyoto.netlab.nec.de ([195.37.70.21]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E0cCA-0006ls-5T for midcom@ietf.org; Thu, 04 Aug 2005 05:39:25 -0400
Received: from open-31-127.ietf63.ietf.org (open-25-68.ietf63.ietf.org [86.255.25.68]) by kyoto.netlab.nec.de (Postfix) with ESMTP id D96F91BAC4D; Thu, 4 Aug 2005 11:05:12 +0200 (CEST)
Date: Thu, 04 Aug 2005 11:05:11 +0200
From: Martin Stiemerling <stiemerling@netlab.nec.de>
To: Stephen Lyda <Stephen.Lyda@siemens.com>, midcom@ietf.org
Subject: Re: [midcom] SIMCO with IPSec
Message-ID: <65660FCF57A8CFD4EFDC2DE3@wired-5-56.ietf63.ietf.org>
In-Reply-To: <42EFBCE2.2090004@siemens.com>
References: <42EFBCE2.2090004@siemens.com>
X-Mailer: Mulberry/3.1.6 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 52e1467c2184c31006318542db5614d5
Content-Transfer-Encoding: 7bit
Cc:
X-BeenThere: midcom@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: midcom.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:midcom@ietf.org>
List-Help: <mailto:midcom-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=subscribe>
Sender: midcom-bounces@ietf.org
Errors-To: midcom-bounces@ietf.org

Hi Stephen,

--On Dienstag, 2. August 2005 13:35 Uhr -0500 Stephen Lyda 
<Stephen.Lyda@siemens.com> wrote:

| Greetings,
|
| I was wondering if someone could elaborate on the need for the use of
| IPSec with the SIMCO protocol.
|
| If this protocol is designed to be light-weight and usable with lower
| end middleboxes, then I do not understand why IPSec encapsulation would
| be a firm requirement for all messages.
|
| For the most part, it seems to me that SIMCO messages are going to be
| traveling on a local, firewalled, network...and not vulerable to many
| malicious attacks from the outside world.
|
| It seems SIMCOs session establishment messages would be adequate enough
| to authenticate the SIMCO agent with the middlebox.  The middlebox would
| also have the option to reject or select configurations set up by the
| agent.

SIMCO works fine in all scenarios  and basically there two cases to 
distinguish:

1) running SIMCO in an "unsafe" environment, e.g., over the
Internet or in local Ethernet-based network with shared links
2) running SIMCO in a closed/controlled environment.

You are referring to case 2). In this case there is indeed no need
to run SIMCO over IPsec. IPsec is recommended to be used in case 1.
However, it is up to you to decided whether you run SIMCO over IPsec
or not.

  Martin

_______________________________________________
midcom mailing list
midcom@ietf.org
https://www1.ietf.org/mailman/listinfo/midcom