Sigh...
Once again we get to the I-D deadline and once again there are concerns that
need to be addressed.
Several security mechanisms that can be used end-to-end have already
been deployed in the Internet and are enjoying increasing use. The
most important are the Secure Sockets Layer (SSL) [SSL2] [SSL3] and
TLS [RFC2246] primarily used to protect web commerce; Pretty Good
Privacy (PGP) [RFC1991], primarily used to protect and authenticate
email and software distributions; the Secure Shell (SSH), used for
secure remote access and file transfer; and IPSEC [RFC2401], a
general purpose encryption and authentication mechanism that sits
just above IP and can be used by any IP application. (IPSEC can
actually be used either on an end-to-end basis or between security
gateways that do not include either or both end systems.)
Dan: This paragraph is too long. This is a document about subnets, not
applications. To the extent subnet designers are ignorant about these things,
it also creates false expectations about widespread deployment and usage.
Generally it is fair to say that mechanisms that are not bundled with the
dominant operating system and/or browsers and/or web servers and/or mail
clients cannot be said to be broadly deployed (sorry PGP, SSH and IPSEC).
Nonetheless, end-to-end security mechanisms are not used as widely as
might be desired. However, the group could not reach consensus on
whether subnetwork designers should be actively encouraged to
implement mechanisms to protect user data.
The majority of the working group held that subnetwork security
Dan: > Since when does the IETF have majorities and minorities!!! Did we
take a vote ;-)? This is an extremely prejudicial statement. The previous
wording was something to the effect of one point of view held (or something
like that). If we insist on using adjectives, we could refer this as the
purist point of view (versus the pragmatic point of view), but I think our
audience can make up their own minds when presented with facts rather than
opinions.
mechanisms, especially when weak or incorrectly implemented [BGW],
may actually be counterproductive. The argument is that subnetwork
security mechanisms can lull end users into a false sense of
security, diminish the incentive to deploy effective end-to-end
mechanisms, and encourage "risky" uses of the Internet that would not
be made if users understood the inherent limits of subnetwork
security mechanisms.
The other point of view actively promotes subnetwork security
mechanisms on the principle that they can't hurt. The argument is
that while subnetwork security is admittedly inferior to end-to-end
security, subnetwork security doesn't preclude the use of end-to-end
security. Furthermore, many users are unwilling or unable to
implement end-to-end security, so subnetwork security is better than
no security at all. This viewpoint calls for subnetworks to implement
mechanisms to achieve a degree of security commensurate with a series
of concatenated, physically protected point-to-point links. This
approach is especially applicable to wireless links and wired links
where physical security is impractical. It is the rationale for
802.11's "wire-equivalent privacy" (WEP) scheme and the privacy
schemes in DOCSIS modems for cable TV networks.
Dan: No, that is not the other point of view, or at least not my point of
view, and I've been the most vocal advocate. It is also worded in a
dismissive and prejudicial fashion, reflecting the editor's negative opinion
rather than the views of its advocates. Please replace this text, in its
entirety, with the following, and please don't make editorial "improvements"
that dilute or disparge the point. I'm also going to make a direct request
that chairs intervene here to ensure that the editor faithfully captures the
points raised without injecting his personal opinions.
"The other point of view encourages subnetwork security on the principle that
it is better than the default situation, which all too often is no security at
all. Users of especially vulnerable subnets (such as consumers who have
wireless home networks and/or shared media Internet access) often have control
over at most one endpoint -- usually a client -- and therefore cannot enforce
the use of end-to-end mechanisms. However, subnet security can be entirely
adequate for protecting low-valued assets against the most likely threats. In
any event, subnet mechanisms do not preclude the use of end-to-end mechanisms,
which are typically used to protect high valued assets. This viewpoint
recognizes that many security policies implicitly assume that the entire
end-to-end path is composed of a series of concatenated links that are
nominally physically secured. That is, these policies assume that all
endpoints of all links are trusted and that access to the physical media by
attackers is difficult. To meet the assumptions of such policies, explicit
mechanisms are needed for links (especially shared media links) that lack
physical protection. This, for example, is the rationale that underlies Wired
Equivalent Privacy (WEP) in the IEEE 802.11 wireless LAN standard, and the
Baseline Privacy Interface in the DOCSIS data over cable television networks
standards."
We therefore recommend that subnetwork vendors who choose to
^^^
subnetwork designers: this document is also directed to standards bodies, and
this is the terminology we've used throughout the draft
implement security mechanisms to protect user data be as candid as
possible with the details of such security mechanisms and the
inherent limits of even the most secure mechanisms when implemented
in a subnetwork rather than on an end-to-end basis.
<SNIP>
Another potential role for subnetwork security is to protect users
against traffic analysis, i.e., identifying the communicating parties
and determining their communication patterns and volumes even when
their actual contents are protected by strong end-to-end security
mechanisms. Lower-layer security can be more effective against
traffic analysis due to its inherent ability to aggregate the
communications of multiple parties sharing the same physical
facilities while obscuring higher layer protocol information that
indicates specific end points, such as IP addresses and TCP/UDP port
numbers.
However, traffic analysis is a notoriously subtle and difficult
threat to understand and defeat, far more so than threats to
confidentiality and integrity. We therefore urge extreme care in the
design of subnetwork security mechanisms specifically intended to
thwart traffic analysis.
What does this add? Suggest removing this paragraph.
Dan
This archive was generated by hypermail 2b29 : Mon Jan 28 2002 - 09:12:29 EST