[anonsec] 3401 and highjacking

Stephen Kent kent at bbn.com
Wed Feb 22 14:04:42 PST 2006 

Joe,

>...
>
>Whatever BTNS is _now_ motivated by, it WAS motivated by the need for
>transport protection in the absence of a-priori keys (infrastructure or
>predeployed).

I agree that was your motivation, and you explained that clearly. But 
we now have a WG with a broader set of goals, and thus the original 
motivation you cite is not the only one.

>As to the reasons you cited in your original quote:
>1- performance
>2- security of the software system
>3- lower layer can be done elsewhere in the system
>3- using BTNS as a place to explore split-layer security
>
>For which of these would SSL address a BTNS use case?

There are a number of outboard, SSL accelerator products that clearly 
support #1 above. The use of such outboard accelerators could improve 
crypto security relative to the application layer, although that 
depends on the crypto options available to the application. The fact 
that these accelerators are analogous to BITW IPsec implementations 
also allows them to avoid some of the OS security pitfalls that 
accrue to an application running on the most popular OS, which also 
supports #2 above. Although it is an awful protocol layering 
violation, outboard accelerators for SSL are regularly placed as 
intermediate systems, just like IPsec SG, consistent with (the first) 
#3 above.  The second bullet #3 above is NOT something I cited as a 
motivation for layer 3 security, so it seems out of place on your 
list.


>  > Also, SSL/TLS now is defined to support UDP, so the traditional argument
>>  about needing to use IPsec to accommodate other than TCP is no longer
>>  valid.
>
>There are more transport protocols than just TCP and UDP. See
>http://www.iana.org/assignments/protocol-numbers for a complete list ;-)

The vast majority of the protocols on that list are rarely used or 
obsolete (a limiting case of rarely used).  For example, when do you 
think the last packet radio measurement packet (#21) was sent :-)? 
This is not a very relevant list for purposes of our discussion, 
although I admit there are transport protocols other than TCP and 
UDP. The relevant question is which ones are of interest to the 
potential set of BTNS users.

Steve

More information about the ANONSEC mailing list