Re: Corner-case question

[Ben Rogers <ben@Ascend.COM>]

Dan McDonald writes:
> > Are you having problems with a specific implementation not being flexible
> > enough to handle this?
> 
> It's not a question of flexibility, it's a question of performing what are a
> TON of gyrations to handle a corner case.  Lemme spell it out.



> If I have per-route policy, I have routing tables that look like:
            ^^^^^^^^^^^^^^^^ -- read "specific implementation"

> Let's add some
> smarts.  How 'bout if the source address is mine, then I don't tunnel.
Okay,
> this means if I talk to A, I talk to A in the clear.

> I didn't say it was tough to figure out, what I did say was that it's a can
> of worms.  The above checking is long and painful, and will slow things
down.
> Perhaps it's the price I must pay for total security.  If that's the case,
> then that's a legitimate answer to my questions.

If you allow any machines outside your network to contact your
encrytping gateway without security, how can you claim to have any
security at all (much less total security)?  It seems if you require
that communication to be encrypted as well, you'd be able to get the job
done with fewer hoops to jump through, and you'd protect yourself more
nearly adequately.


ben

---

References:

• Corner-case question
• From: Ben Rogers <ben@Ascend.COM>
• Re: Corner-case question
• From: Dan.McDonald@eng.sun.com (Dan McDonald)

---

• Prev by Date: Explicit IV vs. Implicit IV
• Next by Date: Re: Corner-case question
• Prev by thread: Re: Corner-case question
• Next by thread: Re: Corner-case question
• Index(es):
  • Main
  • Thread