[cap-talk] network level designation and authorization, meta

[Stephen J. Bevan]

Ian G writes:
 > Indeed the reason the browser/SSL VPNs and
 > OpenVPN exist is because it is so hard to do
 > it at the IP layer.  E.g., why aren't I using
 > it, when I can use other tools like SSH and
 > Skype easily?

At one level it is easier for the application writer to include SSL or
their own encryption in their application rather than have to deal
with some OSes supporting network level encryption (IPsec) and some
not. IPsec is available natively in Windows >= 2000 and most flavours
of Unix but the picture was different five years ago when the
incidence of Win 98 and Linux didn't have IPsec natively (FreeS/WAN
may or may not have been available in your distribution of choice).

 > There is a good reason for this:  the application
 > knows it is there and can rely on it.  If instead
 > the VPN approach is taken, there is little or no
 > way for an application to make any statement of
 > security, because it doesn't know if it is there.

At least with IPsec when doing peer<->peer connections then the
desired level of security can be specified when opening the socket.

 > As the meta-requirements for capabilities include
 > "secure by design" it would be a bit of a bug to
 > rely on anything that could be turned off by a sysadm.

If the admin turned off IPsec then the socket requiring security
should fail to setup.