[e2e] purpose of pseudo header in TCP checksum

Joe Touch touch at ISI.EDU
Wed Feb 16 02:01:34 PST 2005

Vadim Antonov wrote:
> A useful security cannot be implemented at IP or TCP layer, because
> security is only as good as its weakest point. Any strong security
> requires entity authentication (which means, pretty much, authenticating a
> physical user, a server process, and determination of trustworthiness of
> an execution environment), access authorization (meaning determination of
> which entity is allowed to do what), privacy and integrity protection
> (encryption and message authentication), intrusion detection and reaction
> capabilities, and key managament.
> Essentially, the only way to build a reasonably secure system, having an
> elusive but quite important property called "compartmentalization" is to
> do it at the application/middleware level, and treat networks as always
> insecure.
> This also means that attempts to drag security down to the network layer
> are, at best, misguided.

Security at each layer is designed for a different purpose.

The only way to secure the network layer information (used at the 
network layer (e.g., for forwarding) and transport - for connection 
demuxing) is to secure the network layer header. No amount of 
application layer protection works there, unless you terminate the app 
layer at each hop and forward there (e.g., P2P). Are you proposing that?

Sure, you can require only security at the app layer, which means that 
layer is going to get a lot of junk misforwarded and mis-demuxed that it 
has to invest effort - at the routers and the endstations - processing. 
Security at other layers helps winnow that junk before it consumes that 
effort inappropriately.

Security at any ONE layer is doomed. Security is a multilayer issue; 
always has been. We can always talk, in the context of multilayer 
security, at what layer to address a given vulnerability.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20050216/59761adf/signature.bin

More information about the end2end-interest mailing list