[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Michael Richardson: middle boxes vs security



To: midtax@xxxxxxxxxxxxxxxx
Subject: middle boxes vs security
In-reply-to: Your message of "Wed, 21 Mar 2001 10:52:27 EST."
             <200103211552.KAA17534@xxxxxxxxxxxxxxxxxxxxxx> 
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Date: Thu, 22 Mar 2001 03:30:14 -0500
From: Michael Richardson <mcr@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>


  It is interesting that the inability to deploy security due to presence of
middle boxes, such as security gateways, has prevented deployment of voice
services.
  (Frankly, I think that the overly complicated H.323 that has been the
culprit for years... H.323 was designed without reference to security
gateways at all, but perhaps this is simply a good example of the problem)a

  I would invite people to take a look at the SPP drafts that are part of the
IPsec Security Policy WG as background for a new protocol.

  In this case, the SPP attempts to discovery security gateways along the
forwarding path, determine appropriate security policies for traversing them, 
and resolve conflicts in the policies. With the config model, MIB and PIB
going to last call now, IPSP expects to make progress now on a new security
gateway/policy discovery protocol.

] Train travel features AC outlets with no take-off restrictions|gigabit is no[
]   Michael Richardson, Solidum Systems   Oh where, oh where has|problem  with[
]     mcr@xxxxxxxxxxx   www.solidum.com   the little fishy gone?|PAX.port 1100[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [