[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ports in the clear...
Greg Minshall <minshall@ipsilon.com> wrote:
% Did i mention my desire to expose the source and destination TCP/UDP ports
% (via some new fields in the IPSEC header) when doing encryption?
Yes. You've mentioned this several times. My answers remain the same.
You'll shoud concentrate on convincing everyone else first,
because there is ZERO chance I'll be convinced to open up the ports
and ULP identifier with ESP.
% There are lots of reasons, from bean counting ("what % of the internet
% traffic is web traffic?")
So add a counter for encrypted traffic. Not a good argument.
% to firewalls
Should be implementing IPsec anyway. Most firewalls are becoming encrypting
firewalls already. Not a good argument.
% to "best effort QoS" (make telnet port low latency;
% make ftp data port high throughput).
Use RSVP instead. See the RSVP+IPsec draft for how to make it work.
Your unstated reason is that it relates to how the Ipsilon product works
and that won't persuade me either.
Nothing says that users must use encryption. If they choose to do so,
then they ought not have their ports and ULP identifier in cleartext.
Ran
rja@inet.org
Follow-Ups: