[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: threats ID

To: Tim Shepard <shep@alum.mit.edu>
Subject: Re: threats ID
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date: Sun, 25 Jan 2004 18:10:52 +0900
Cc: Multi6 List <multi6@ops.ietf.org>
In-reply-to: <E1AkdHx-0000pD-00@alva.home>
References: <E1AkdHx-0000pD-00@alva.home>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)

Tim Shepard;

>>>Note that IPSEC adds a layer, increasing the number of layers below
>>>TCP by one.
>>
>>it is clearly stated in RFC2401 "Security Architecture for the
>>Internet Protocol", which defines IPSEC architecture, that:
>>
>>   The goal of the architecture is to provide various security
>>   services for traffic at the IP layer, in both the IPv4 and IPv6
>>   environments.

> Interesting that the draft says that.  Note though that despite the
> draft saying that IPSEC provides it "at" the IP layer, it in fact does
> all of its communication sitting on top of unmodified IP.

It is not a draft but the architectural RFC of IPSEC.

> For
> example, the routers don't need to be upgraded to allow IPSEC to run
> over them.

For example, the routers don't need to be upgraded to allow
fragmentation of IPv6 and reassembly of IPv4 and IPv6.

So?

> So in some meaningful sense, IPSEC is above the IP layer,
> even if there is a document telling us that we're not supposed to
> think about it that way.

Hugh? Your point was not technical but lack of IETF consensus.

But, if you want to know technical points, see above.

Though IPSEC is poorly designed, its architecture is OK.

						Masataka Ohta

References:
- Re: threats ID
  - From: Tim Shepard <shep@alum.mit.edu>

Prev by Date: RE: Reminder re multi6 drafts
Next by Date: Re: threats ID
Previous by thread: Re: threats ID
Next by thread: Re: threats ID
Index(es):
- Date
- Thread