[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSP Management Specifications was - Re: Managing IPSP
- To: uri@watson.ibm.com, ipsec@ans.net
- Subject: Re: IPSP Management Specifications was - Re: Managing IPSP
- From: Michael Richardson <mcr@milkyway.com>
- Date: Tue, 22 Aug 1995 20:27:07 -0400
- In-Reply-To: Your message of "Tue, 22 Aug 1995 19:17:57 EDT." <9508222317.AA35218@hawpub.watson.ibm.com>
- References: <9508222317.AA35218@hawpub.watson.ibm.com>
> First - it's not "managing *via* IPSP - it's managing IPSP *itself*.
I realize that.
> Second - I don't think it maps onto firewall world at all.
Maybe I misunderstand the point: I assume that you want to determine
a. when to encrypt --- by source, dest, service.
b. when to authenticate --- src,dst,service
c. when to accept without ESP, by src,dst,service
d. when to accept without AH, by src,dst,service
It you can do all of those things, you can have a security gateway.
> IPSEC for SNMP auth is wrong, since SNMP is designed to go over many
> more transports, than IP (or IPSEC). Using SNMP for IPSEC configuration
> seems perfectly good idea to me.
I agree about SNMP over IPSEC being wrong. Maybe in couple of weeks the
the SNMPv2 proposals will settle down again with a clear security contender.
--- you have to use authenticated SNMP for IPSEC configuration.
:!mcr!: | <A HREF="http://www.milkyway.com/">Milkyway
Networks Corporation</A>
Michael Richardson | Makers of the Black Hole firewall
NCF: aa714 || xx714 | +1 613 566-4574 ... mcr@milkyway.com
Home: <A HREF="http://www.sandelman.ocunix.on.ca/People/Michael_Richardson/Bio
.html">mcr@sandelman.ocunix.on.ca</A>. PGP key available.