Steven M. Bellovin wrote: > IPsec operates at layer 3, where there are (generally) > no user contexts. This makes it difficult to bind > IPsec credentials to a user, which means that it > inherently can't be as simple to configure as ssh. > > Put another way, when you tell an sshd whom you wish > to log in as, it consults that user's home directory > and finds an authorized_keys file. How can IPsec -- or > rather, any key management daemon for IPsec -- do > that? Per-user SPDs? Is this packet for port 80 for > user pat or user chris? > > I can envision ways around this (especially if we have > an IP address per user of a system -- I've been > writing about fine-grained IP address assignment for > years), but they're inherently a lot more complex than > ssh.
This is a particular case of the layer problem I have been ranting about for years: Private and authenticated sessions at layer X do not in themselves correspond to private and authenticated sessions at layer Y, and for users to arrange their affairs so that layer X does indeed secure layer Y generally requires users to stand on their heads and stick their right big toe in their left ear. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]