[Cryptography] Why aren’t we using SSH for everything?

John Denker jsd at av8n.com
Mon Jan 5 10:58:36 EST 2015


On 01/04/2015 08:50 PM, Paul Wouters wrote:
> 
> IPsec protects the transport.

I wouldn't have said it that way.  It would be somewhat better
to say ESP protects the transport.  IPsec is more than just
crypto, more than just ESP bits-on-the-wire.

  By way of background:  Security always has two parts:
  a) A list of good things to be allowed and supported, and
  b) A list of bad things to be prevented.

The IPsec RFC, to its credit, addresses both issues.
  https://tools.ietf.org/html/rfc4301
Specifically:
 a) The crypto allows you to do things you want to do.  
 b) One major function of the SPD is to disallow things 
  you want to prevent.

The point could be made that much of what the SPD seeks
to prevent is stuff you should have been preventing all
along, even if you had never heard of IPsec.  That's a
valid point.  However, it is also valid to observe that
IPsec, strictly speaking, grabs all of that and incorporates
it into itself.

It has been part of the freeswan / libreswan way of thinking
since Day One to concentrate on part (a) i.e. crypto, and 
leave part (b) i.e. firewalling to somebody else.  That's 
a reasonable management decision as far as it goes, but it 
should not be taken as a redefinition of what IPsec "is".

Especially in the present context, where people are ragging
on the IPsec SPD in particular, it pays to think and speak 
very clearly about such things.



More information about the cryptography mailing list