"Steven" == Steven M Bellovin <smb(_at_)cs(_dot_)columbia(_dot_)edu>
>> You could potentially have both an end-to-end SA and a
>> hop-by-hop SA. That says that you trust intermediate systems
>> less than you do the endpoints, but somehow you're still
>> trusting them not to disclose traffic. I'd like to understand
>> the threat model that leads to this better.
Steven> "Need to know" -- intermediate systems may be cleared very
Steven> high, but they have no need to see the packet contents.
If we were talking about ESP, I think this would apply. I don't see
how it applies to integrity protection without confidentiality though.
>> Do you disagree with my assertion that from a overall
>> architecture view, anyone who implements this mechanism needs
>> confidentiality to run their packets over the open Internet?
OK, I'm not seeing this. Can you give me an example of a system that
would use this mechanism over the open internet but not need
confidentiality at some layer?
The draft asserts that you would need confidentiality protection to run this
over the Internet and as best I can tell, the draft authors are correct.
>> If you agree confidentiality is needed somewhere, how do we
>> get interoperability if we don't mandate a confidentiality
>> mechanism here?
Steven> It's a different layer. The security label doesn't
Steven> require confidentiality; it does require integrity.
That's true. However, I'm claiming that to be useful, confidentiality
needs to be provided at some layer. If we have two implementations of
this spec, one of which uses confidentiality mechanism a and one of
which uses confidentiality mechanism b, even though they both
implement the mandatory-to-implement security mechanism for this spec,
they cannot interoperate in a secure manner. Traditionally, we've
fixed that sort of interoperability problem by requiring a specific
mechanism at the other layer be mandatory to implement.
I don't think the argument that something happens at another layer has
been a sufficient reason to avoid interoperability.
At least while I was on the IESG, we tended to address this problem by
requiring a specific other layer be a mandatory-to-implement layer.
Now, if you are saying that there are situations where confidentiality is not
needed in the system as a whole, then I'd like to understand those systems.
Ietf mailing list