But if you use BYPASS, then you get no advantage at all. With TLS you can specify encryption with one-way authentication, and an application-level encryption scheme fits the needs even better than either IPsec or TLS. There is one big advantage of IPsec that I can see, however... A lot of networking devices, even low-end ones, already have IPsec capabilities built in. This might make it easier to sell the new protocol to Cisco, 3Com, Nortel, etc. who would already have code to do this on many of their devices. "Waters, Stephen" wrote: > Where traffic needs to be received from unauthenticated clients, that can be > achieved easily with most implementation of IPSEC - you specify a BYPASS > policy to allow 'in the clear' traffic from a list of addresses, or any not > specked as requiring protection. > > I agree that 'stable storage' will always need to be part of application > that require that. This is the approach taken by the Secure-BGP working > group - digitally sign the BGP updates, but use IPSEC to get it safely over > the wire. While syslog and s-BGP application level techniques are evolving, > and to support syslog/BGP that will not get updated, IPSEC is a good start, > I think. > > Thanks for the reply, > Steve. > > > > -----Original Message----- > From: Chris Calabrese [mailto:[EMAIL PROTECTED]] > Sent: Friday, August 18, 2000 4:20 PM > To: Chris Lonvick > Cc: Waters, Stephen; [EMAIL PROTECTED] > Subject: Re: IPSEC usage to protect syslog > > In my opinion... > > The client needs to make sure rogue servers don't pick up their bits and the > server needs to make sure rogue clients aren't spoofing real ones. From > this > standpoint, IPsec is a bit overkill because, as Chris L. pointed out, there > are > situations where the server wants to receive information from > unauthenticated > clients. > > Also, the ideal logging system would have the message > authentication/encryption > capabilities follow them onto stable storage, whereas IPsec is a purely > on-the-wire system.
begin:vcard n:Calabrese;Chris tel;work:201-703-7218 x-mozilla-html:TRUE org:Merck-Medco Managed Care, L.L.C.;Internet Infrastructure and Security adr:;;1900 Pollitt Drive;Fair Lawn;NJ;07410;USA version:2.1 email;internet:[EMAIL PROTECTED] title:Internet Security Administrator fn:Chris Calabrese end:vcard
