Where traffic needs to be received from unauthenticated clients, that can be
achieved easily with most implementation of IPSEC - you specify a BYPASS
policy to allow 'in the clear' traffic from a list of addresses, or any not
specked as requiring protection.
I agree that 'stable storage' will always need to be part of application
that require that. This is the approach taken by the Secure-BGP working
group - digitally sign the BGP updates, but use IPSEC to get it safely over
the wire. While syslog and s-BGP application level techniques are evolving,
and to support syslog/BGP that will not get updated, IPSEC is a good start,
I think.
Thanks for the reply,
Steve.
-----Original Message-----
From: Chris Calabrese [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 18, 2000 4:20 PM
To: Chris Lonvick
Cc: Waters, Stephen; [EMAIL PROTECTED]
Subject: Re: IPSEC usage to protect syslog
In my opinion...
The client needs to make sure rogue servers don't pick up their bits and the
server needs to make sure rogue clients aren't spoofing real ones. From
this
standpoint, IPsec is a bit overkill because, as Chris L. pointed out, there
are
situations where the server wants to receive information from
unauthenticated
clients.
Also, the ideal logging system would have the message
authentication/encryption
capabilities follow them onto stable storage, whereas IPsec is a purely
on-the-wire system.
