[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: swIPe available for FTP.

To: perry@imsi.com, smb@research.att.com
Subject: Re: swIPe available for FTP.
From: John Ioannidis <ji@cs.columbia.edu>
Date: Wed, 15 Jun 1994 11:22:01 -0400
Cc: ipsec@ans.net

Steve,

> Apart from problems with the architecture, there are three serious
> flaws in the implementation.
I beg to differ. 

1. Key management is an orthogonal issue. The hooks are there in the
kernel code; all you have to do is plug in your own key management.
Key management is NOT part of the swIPe protocol!

2. Filtering on input can best be performed by any number of products
already available (screening routers, host-based filtering). THe swIPe
implementation is by no means a one-stop solution to all your firewall
problems.

3. I would welcome suggestions on how to notify higher protocols. I
have a number of ideas, but I don't particularly like any of them. As
a start, packets which arrived swIPed, made it through the
un-swIPe-ing procedure, and reappear at the IP input stream appear as
if they are coming from the swIPe virtual interface (rather than the
real interace the packet came in).

One more thing: the code that I released does NOT pretend to be a
complete or final implementation of swIPe. It is working code with
which to experiment in a live situation rather than theorise endlessly
about what should and should not be done. Aside from the fact that a
lot of people will find it useful just the way it is, I released it so
that people have a starting point to play with. If you have a problem
with the implementation, please feel free to go ahead and fix it, and
share the fixes with the rest of us.

/ji

Prev by Date: Re: Granularity of authentication in swIPe
Next by Date: Re: Granularity of authentication in swIPe
Prev by thread: Re: swIPe available for FTP.
Next by thread: Re: swIPe available for FTP.
Index(es):
- Main
- Thread