Steve,
Suppose, rhetorically, that we were to encrypt every IP packet using IPSEC.
What happens if a box takes your packet and deliver it to the "wrong"
address, for example to an ISP controlled cache? Well, the cache cannot do
anything with it, except drop it to the floor. We are thus faced with a
dilemma: not use IPSEC because it breaks the ISP provided "enhancement," or
tell the ISP to stop this denial of service attack.
-----Original Message-----
From: Stephen Kent [mailto:kent(_at_)bbn(_dot_)com]
Sent: Friday, April 07, 2000 10:07 AM
To: Leslie Daigle
Cc: Keith Moore; iesg(_at_)ietf(_dot_)org; ietf(_at_)ietf(_dot_)org;
rfc-ed(_at_)rfc-editor(_dot_)org
Subject: Re: recommendation against publication of
draft-cerpa-necp-02.txt
Leslie,
I understand your point, but we leave ourselves open to many forms of
attacks, or errors, by assuming that "what you receive is what was
sent" in this era of the Internet. Security is not black and white,
but the gray area we're discussing does bother me. If one cares
about knowing where the data originated, and that it has not been
altered, then one needs to make use of the tools provided to address
that concern. if one doesn't use the tools, then one does not care
very much, and the results may be surprising :-).
Steve