It is true that middle boxes create an environment that will violate the
a "no body in the middle" security model. I believe there are
two possible conclusions there
- middle boxes are all bad.
- the model is not realistic.
As one of those horrible people who is actually promoting solutions
in the middle box environment, I would say that there is considerations
for both conclusions. However, I think that not considering "changes
in the market needs" in understanding our problem space is not
a good solution strategy.
At 10:52 AM 3/21/2001 -0500, Sandy Murphy wrote:
(This message was sent to Brian Carpenter, who requested that I forward
to the list.)
I read your recent i-d "Middle boxes: taxonomy and issues" with great
interest. I've been noting the increasing number of internet drafts
that propose a networking technology in which the interior of the
network mungs around with the packet, including the *contents* of the
packet. Your taxonomy concentrates on this paradigm, and I see other
examples:
mail transfer agents (translate 7bit to 8bit, translate CR/LF to CR, etc.)
(yes, this is a really old problem)
mobile agents
URL rewriting
active networks
content distribution networks that do content adaptation
DIAMETER proxies
basically all/most proxies
etc.
As you note, this "reduces or eliminates the ability to perform end to
end encryption, and complicates trust models and key distribution
models", which puts you at the top of the class in understatement.
Existing end-end security solutions do not work with these new
technologies, particularly when most of these technologies are
supposed to be transparent to the user, i.e., the user is not expected
to establish or configure the set of web caches, mail transfer agents,
active nodes, etc. that it trusts to interfere with its packet. You
suggest that "every middle box design requires particular attention to
security analysis". I don't think that's quite sufficient. If the
very function of the middle box violates the assumptions that underly
the (end-end) security solutions, then attention to security means
either (1) break the end-end security or (2) don't implement the
middle box.
I'm concerned that we'll need a whole new class of security solutions
if this paradigm ends up being deployed in lots of different
technologies, if only to avoid each new technology designing a
end-end security solution appropriate to its particular munging. Do
you think that people fully realize what a difficulty this is? I wish
I could be there for the BOF next Monday, but some personal matters
are keeping me in the office.
--Sandy Murphy, NAI Labs
Michael W. Condry
Director, Network Edge Technology