[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
intersec BOF
summary: classic problem, end-to-end encryption versus intermediate
box which would like to tweak/peep traffic. there's no good solution,
but that's life.
(i'm a firm believer of end-to-end principle and middleboxes, so i'm
very biased)
itojun
------- Forwarded Message
To: wide@wide.ad.jp
Subject: [IETF56] intersec
X-Template-Reply-To: itojun@itojun.org
X-Template-Return-Receipt-To: itojun@itojun.org
X-PGP-Fingerprint: F8 24 B4 2C 8C 98 57 FD 90 5F B4 60 79 54 16 E2
From: Jun-ichiro itojun Hagino <itojun@iijlab.net>
Date: Sat, 22 Mar 2003 03:32:49 +0900
Sender: itojun@itojun.org
kind of "transport area and security area joint BOF"
presentation 1 (thomas)
intermediary-based transport services, and performance enhancement mechanisms
TCP performance enhancement proxy (PEP)
need port #, tcp seq #
IPsec will prevent PEP
header compression
access/modify header
IPsec will block it
network-based packet filtering
limit # of packet onto wireless -> mobile node
with IPsec packet cannot be identified
what kind of trust relationship exists between end systems and intermediary
security goals
packet data which is not needed by intermediary service should be kept
secure (protected end-to-end)
there are solutions like TLS, sRTP, ... i don't think there's problem
speaker: don't we need a general solution?
there's no problem. no need for intermediary. don't break e-2-e.
is intermediary trustworty?
what is your threat model?
there's no general solution to this.
you're enabling service provider/intermediary to do bad thing on you
beauty of ipsec is that it is independent from application.
needed for satellite setup.
maybe we need another try to express the problem.
presentation 2 (sally)
presentation 3
relationship w/ opes
proxy-based application extensions
protocols for proxy to application communication
opt-in, tracing, privacy considerations
rule language for vectoring
allows heavy application data rewrites, and stuff
...
next steps
formulate problem and framework clearly
work on mailing list
------- End of Forwarded Message