Re: IPsec and firewalls

[Ted Doty <ted () iss net>]

At 11:26 AM 2/6/98 -0600, Aleph One wrote:

> Acutally, IPsec does separate authentication from confidentiality (RFC1827
> and RCS1826). I was just talking to someone about this at USENIX. I see a
> market for someone that implements and ISAKMP daemon that supports
> transfering keys to a trusted third party. Of curse this brings you all
> the same headackes that Kerberos does having to maintain a secured machine
> with possible all session keys but hopefully your firewall maintains that
> level of security so it should not add many more risks. Probably any such
> protocols between the ISAKMP server and the firewall should be standarized
> by a RFC. Anyone have any comments?

The folks working on Secure DNS have been grapeling with this issue for a
while.  The idea is to include not only the IP address of the destination,
but its public key as well.  You're right in that securing a Key
Distribution Center is non-trivial, and this adds an interesting new twist
on DNS cache poisoning, but DNS has the advantage of being widely deployed
and fairly well understood.

- Ted

--------------------------------------------------------------
Ted Doty, Internet Security Systems | Phone: +1 770 395 0150
41 Perimeter Center East            | Fax:   +1 770 395 1972
Atlanta, GA 30346  USA              | Web: http://www.iss.net
--------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE