There is a proposal in the IETF to create a BTNS working group, for Better-Than-Nothing Security. This is a recognition of the fact that "all-or-nothing" security often means "nothing." The biggest issue seems to be man-in-the-middle (MITM) attacks. MITM attacks are active attacks, and protection against such active attacks is much harder than protection against passive -- that is, eavesdropping-only -- attacks.
There is a certain amount of infrastructure required for IPSec. This working group would develop a new profile for IPSec that allows encryption without authentication. An application layer protocol could implement its own authentication.
Posted by Doug Sauder at March 16, 2005 08:22 AM