Steven M. Bellovin wrote:
> IPsec operates at layer 3, where there are (generally)
> no user contexts.  This makes it difficult to bind
> IPsec credentials to a user, which means that it
> inherently can't be as simple to configure as ssh.
>
> Put another way, when you tell an sshd whom you wish
> to log in as, it consults that user's home directory
> and finds an authorized_keys file. How can IPsec -- or
> rather, any key management daemon for IPsec -- do
> that?  Per-user SPDs?  Is this packet for port 80 for
> user pat or user chris?
>
> I can envision ways around this (especially if we have
> an IP address per user of a system -- I've been
> writing about fine-grained IP address assignment for
> years), but they're inherently a lot more complex than
> ssh.

This is a particular case of the layer problem I have
been ranting about for years:  Private and authenticated
sessions at layer X do not in themselves correspond to
private and authenticated sessions at layer Y, and for
users to arrange their affairs so that layer X does
indeed secure layer Y generally requires users to stand
on their heads and stick their right big toe in their
left ear.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to