[anonsec] 3401 and highjacking
Nicolas Williams
Nicolas.Williams at sun.com
Fri Feb 24 10:23:40 PST 2006
On Fri, Feb 24, 2006 at 10:00:08AM -0800, Joe Touch wrote:
> Nicolas Williams wrote:
> > On Thu, Feb 23, 2006 at 06:18:23PM -0500, Stephen Kent wrote:
> ...
> >>My recollection from the BOF was that only some of the cited
> >>motivations for BTNS explicitly cite transport layer protection. When
> >>applications want to use lower layer security mechanisms to enable
> >>higher performance via off-loading crypto to a different processor,
> >>that can be achieved via SSL/TLS, for example.
> >
> > Yes, that's my motivation.
>
> We probably agree on that, but it's not a motivation for BTNS. BTNS is a
> good place to develop a particular channel binding variant, but that
> doesn't seem like a motivation.
Oh no, channel binding certainly is a motivation for BTNS, if
round-about: because implied in channel binding is that you already have
an authentication infrastructure deployed that you can use at layer 7,
but you want secure channels at lower layers where you don't care what
is used for authentication, and having to deploy a separate
authentication infrastructure just to get such channels is lame.
I first posted to the old IPsec WG list about something like BTNS long
before the ANONSEC BoF. And the motivation for channel binding to IPsec
and unauthenticated IPsec goes back to March 2003 when a bunch of people
at Connectathon sat down to work out a proposal from Mike Eisler going
back to December 2002.
Nico
--
More information about the ANONSEC
mailing list