FW: Fwd: TLS authorizations draft

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Keynote is an Experimental RFC (see RFC 2704, RFC 2792). I failed to see
the context of this discussion since I apparently deleted the emails
that preceeded this. Despite my lack of context, I did want to state a
few reasons why Keynote is personally interesting to me:

Steve Bellovin wrote a paper in 1999 entitled "Distributed Firewalls"
that described a mechanism to build policy-based networks by leveraging
the IPsec protocol. This approach addressed most of the problems that
occurred with the more ambitious Policy Based Networking (PBN)
approaches proposed by entities such as the DMTF's DEN. It has been used
to create distributed firewall systems (e.g., see
http://www.cs.columbia.edu/~angelos/Papers/df.pdf), including the
construction of discrete security zones within the network
infrastructure (i.e., elements of a network deployment with heightened
or specialized security requirements different than the rest of the
deployment).  

The IETF's former IPSP working group assembled several tools that can be
optionally leveraged to create PBN systems using IPsec, though I
perceive that their approach has imploded in the general case due to
policy complexities:

*	RFC 3586 describes the problem space and solution requirements
for developing an IPSP configuration and management framework.
*	RFC 2704 describes the KeyNote policy language that can
optionally be used to construct PBN systems. The KeyNote implementation
functions as a compliance engine and is based on RBAC techniques as
encoded within PKI attribute certificates.
*	Use of IPsec's ESP (see RFC 4305) in Transport Mode to provide
confidentiality, data origin authentication, anti-replay attack
protection, and data integrity services in order to enhance network
security between communicating devices (e.g., hosts-to-hosts,
routers-to-routers) at a specific integrity level.

The DARPA Strong Man work originally experimented with integrating
KeyNote with IPsec's Internet Key Exchange (see RFC 4306) protocol in
order to create a very fine-grained authentication and access control
infrastructure at the network layer. These communications are secured by
using IPsec in Transport Mode between communicating devices. A public
implementation of this approach is freely available and is built into
the Open BSD Unix OS.  This approach creates a tight knit PBN system
that has not been widely deployed to date, to the best of my knowledge. 

Nevertheless, corporations such as Boeing remain very interested in
mechanisms to "Internet harden" our infrastructures, particularly now
that traditional perimeter defense firewalls are becoming obsoleted by
modern business practices. Specifically, we need viable mechanisms to
internally create "distributed firewalls" or "security zones" inside our
distributed operations environments. The DARPA Strong Man, while not
widely implemented to my knowledge, nevertheless is one of the more
promising approaches towards doing that.

-----Original Message-----
From: Stephen Kent [mailto:kent@xxxxxxx] 
Sent: Monday, May 22, 2006 1:02 PM
To: Russ Housley
Cc: ietf@xxxxxxxx
Subject: Re: Fwd: TLS authorizations draft


At 10:16 AM -0400 5/18/06, Russ Housley wrote:
>I received this note from Angelos Keromytis regarding the 
>draft-housley-tls-authz-extns document.  I plan to accommodate this 
>request unless someone raises an objection.
>
>Russ
>

OK, I'll object :-).

KeyNote has no IETF status, to the best of my knowledge.  It is 
closely aligned with the SDSI/SPKI work for which the IETF created a 
WG, but ultimately rejected as a standards track effort.  So, I find 
it inappropriate to extend this standards track document to include 
support for a technology that, via a tenuous link, never made it to 
standards track status in the IETF.

Steve

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]