Re: ipsec and tcp spoofing

From: Howard Weiss ([email protected])
Date: Mon Apr 06 1998 - 15:17:04 EDT

Next message: Eric Travis: "Re: Two concerns"
Previous message: Curtis Villamizar: "Re: I-D ACTION:draft-ietf-tcpsat-res-issues-02.txt"
In reply to: Tom Henderson: "Re: ipsec and tcp spoofing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Tom,

>
> Luis, Howard,
>
> Thanks for the corrections to my message. Nevertheless, it is clear that
> there is no mode of IPsec that is compatible with TCP spoofing unless
> the spoofing gateway can perform encryption and/or authentication itself.
> In looking at the Security Architecture document, it seemed worthwhile to
> consider a "transport mode" option to leave the TCP header unencrypted and
> unauthenticated.
>
> > There was just
> > a proposal in the last two weeks to the IPSEC mailing list to move the
> > TCP port information into the clear so as to allow Internet management
> > systems that gather stats on the types of flows running across the
> > 'net to continue to operate. It was seriously rejected by the WG
> > despite the understanding for flow stats.
>
> Given this, I guess the discussion is moot.
>
> Tom

In essence, if there were an IPSEC-ESP mode to allow TCP header to
remain in the clear what you would have is TLS. The major reason for
using TLS over IPSEC is that TLS does not require any underlying
network (and/or operating system kernel) changes whereas IPSEC would
require changes. So, TLS really shines when it is inconvenient or
there is no opportunity to change out the underlying network stack.
As a result, TLS must be implemented in each application that requires
security protection. IPSEC, because it lives lower in the stack,
in an ubiquitious mechanism available for use by the upper layers with
no redundant implementation needed. I don't know if everyone would
agree with me, but I believe that IPSEC provides a more secure
solution than does TLS because I believe that the more information
that is exposed, the more you open yourself up to attacks.

Howie

-- 
 ___________________________________________________________________
|                                                                   |
|Howard Weiss                        phone (410) 381-9400 x201      |
|SPARTA, Inc.                              (301) 621-8145 x201 (DC) |
|9861 Broken Land Parkway            fax:  (410) 381-5559           |
|Columbia, MD 21046                  email: [email protected] |
|___________________________________________________________________|

Next message: Eric Travis: "Re: Two concerns"
Previous message: Curtis Villamizar: "Re: I-D ACTION:draft-ietf-tcpsat-res-issues-02.txt"
In reply to: Tom Henderson: "Re: ipsec and tcp spoofing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Feb 14 2000 - 16:14:39 EST