[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC requirements

To: kent@BBN.COM (Steve Kent)
Subject: Re: IPSEC requirements
From: Masataka Ohta <mohta@necom830.cc.titech.ac.jp>
Date: Wed, 7 Sep 94 0:12:02 JST
Cc: ipsec@ans.net
In-Reply-To: <9409061432.AA17842@necom830.cc.titech.ac.jp>; from "Steve Kent" at Sep 6, 94 10:34 am

> 	I agree with Marcus that the the term "firewall" has come to
> mean two very different types of perimeter security, operating at the
> IP layer or at the application layer.  I think relatively few
> firewalls operate at the transport layer, per se, perhaps because of
> the difficulty of concatenating TCP connections.

I'm afraid concatenating TCP connections is for firewalls at the
application layer (or the above). For TCP, payload is just a stream
of bytes. The transport layer does not try to interpret the data in
the payload. It's application which gives the semantics for the payload.

BTW, it is real bad layering violation for routers peek TCP
and does not work when there are mutiple alternative routes,
which is the other proof that looking at pay load is for the
application layer firewall.

> The IP layer
> firewalls examine TCP and UDP port fields in making filtering or
> screening decisions, but that is not the same as implementing
> full-fledged transport layer processing.  (It's a minor form of cheating.)

Urrrr, see RFC 768:
                                    
                  0      7 8     15 16    23 24    31  
                 +--------+--------+--------+--------+ 
                 |     Source      |   Destination   | 
                 |      Port       |      Port       | 
                 +--------+--------+--------+--------+ 
                 |                 |                 | 
                 |     Length      |    Checksum     | 
                 +--------+--------+--------+--------+ 
                 |                                     
                 |          data octets ...            
                 +---------------- ...                 

                      User Datagram Header Format

Port # is the only essential data of the transport layer UDP header!

So, if you call it minor cheating, the entire concept of the transport
layer is the minor cheating.

> 	Application layer firewalls are generally a pain for users to
> deal with.

Not necessarily.

> Double logins are annoying

Applications behind an application firewall does not need login and
can simply believe the firewall for the identification of the user.

> and proxy application
> processing is complex and may not preserve the application semantics.

> It also creates the potential for processing bottlenecks.

Those are the problems.

It is my understanding that applications are so different each other
that it is impractical to construct application independent application
layer firewalls. And if firewalls are application dependent, they are
rather a part of secured application than a general purpose firewalls.

> 	Despite our differences of opinion on several details, we do
> agree that application layer firewalls are not a desirable endpoint
> for Internet security.

Sure, but I'll be a lot more comfortable if we stop cheating and
can agree that "IP level" means "network or transport layer".

							Masataka Ohta

Prev by Date: Re: IPSEC requirements
Next by Date: Multicast key distribution
Prev by thread: Re: IPSEC requirements
Next by thread: Re: IPSEC requirements
Index(es):
- Main
- Thread