[e2e] purpose of pseudo header in TCP checksum
Joe Touch
touch at ISI.EDU
Wed Feb 16 02:01:34 PST 2005
Vadim Antonov wrote:
...
> A useful security cannot be implemented at IP or TCP layer, because
> security is only as good as its weakest point. Any strong security
> requires entity authentication (which means, pretty much, authenticating a
> physical user, a server process, and determination of trustworthiness of
> an execution environment), access authorization (meaning determination of
> which entity is allowed to do what), privacy and integrity protection
> (encryption and message authentication), intrusion detection and reaction
> capabilities, and key managament.
...
> Essentially, the only way to build a reasonably secure system, having an
> elusive but quite important property called "compartmentalization" is to
> do it at the application/middleware level, and treat networks as always
> insecure.
>
> This also means that attempts to drag security down to the network layer
> are, at best, misguided.
Security at each layer is designed for a different purpose.
The only way to secure the network layer information (used at the
network layer (e.g., for forwarding) and transport - for connection
demuxing) is to secure the network layer header. No amount of
application layer protection works there, unless you terminate the app
layer at each hop and forward there (e.g., P2P). Are you proposing that?
Sure, you can require only security at the app layer, which means that
layer is going to get a lot of junk misforwarded and mis-demuxed that it
has to invest effort - at the routers and the endstations - processing.
Security at other layers helps winnow that junk before it consumes that
effort inappropriately.
Security at any ONE layer is doomed. Security is a multilayer issue;
always has been. We can always talk, in the context of multilayer
security, at what layer to address a given vulnerability.
Joe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://www.postel.org/pipermail/end2end-interest/attachments/20050216/59761adf/signature.bin
More information about the end2end-interest
mailing list