[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC requirements

To: Masataka Ohta <mohta@necom830.cc.titech.ac.jp>
Subject: Re: IPSEC requirements
From: Steve Kent <kent@BBN.COM>
Date: Tue, 06 Sep 94 14:48:31 -0400
Cc: ipsec@ans.net


Masataka,

	I understand the difference between transport and application
layers, and I meant what I said about pure transport relaying
vs. application relaying (or proxy applications).  

	Looking at TCP/UDP port values is a layer violation for an IP
layer intermediate system, and one which I do not endorse.  I don't
think it causes problems for the reason you cite.  If one makes
filtering (screening) decisions based on port fields, then these
decisions should be consistent irrespective of whether the packets
take a consistent route or if alternative routes into the enclave are
taken.  In contrast, application layer firewalls do limit ones
opportunity to take advantage of alternative routes.  However, Marcus
and others have pointed out that one can home multiple routers with
different attachment points to external nets to a single fireall
machine, so as to retain much of the alternate routing flexability.
Also, the reliability of machines used as application layer firewalls
has usually been excellent, so the single piont of failure posed by a
firewall of this sort also may not be as bad as one might think.

	What would be a terrible problem for an intermediate system is
trying to eumlate or track the TCP state information for each
connection through that system.  That is where alternate routes can
kill you.  So, in that light, looking at the port fields is cheating a
little, but looking at the sequence numbers and flags would be really
severe cheeting!

	Applications behind a firewall do not automatically get login
info from a firewall, e.g., the target machine and the firewall may
require different user ID technology and thus be incompatible in terms
of relaying user I&A.  Also, application layer firewalls often are set
up to control outgoing connections, where the user is behind the
firewall and the target application is outside.  Here the target may
not be willing to trust user I&A info provided by some firewall
elsewhere, and that results in multiple logins. 

	Finally, yes, we do agree that application-dependent firewalls
are a long term problem because they require tracking evolving
applications and the intermediate implementation of these applications
may loose functionality for the users.

Steve

Prev by Date: Re: IPSEC requirements
Next by Date: Re: IPSEC requirements
Prev by thread: Re: IPSEC requirements
Next by thread: Re: IPSEC requirements
Index(es):
- Main
- Thread