[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: a drop/bypass action negotiation issue

To: "Alexei V. Vopilov" <alx@elnet.msk.ru>
Subject: Re: a drop/bypass action negotiation issue
From: Charles Lynn <clynn@bbn.com>
Date: Fri, 19 Dec 97 10:52:30 EST
cc: IPsec MailList <ipsec@tis.com>
Sender: owner-ipsec@ex.tis.com

Alexei

> The arch. draft introduces two additional
> supported filtering actions, such as 'drop' and 'bypass'.
> Unfortunately, there is no defined way to _negotiate_
> these actions with a remote peer.

You have raised an interesting point.  I have been thinking about the
drop and bypass functions as mechanisms used by the security
administrator to specify policy.  From that perspective, I would not
want any one else to be able to _negotiate_ any changes to the local
policy.  However, if the local policy is to permit some trusted
parties to poke holes in the firewall, then I can see your view.
However, it could still be argued that the local policy is not being
negotiated, only the use of a different preexisting policy entry.

IPSecond seems like the right place to explore the requirements.

Charlie

Prev by Date: a drop/bypass action negotiation issue
Next by Date: Results of the IPSEC document reading party
Prev by thread: a drop/bypass action negotiation issue
Next by thread: RE: a drop/bypass action negotiation issue
Index(es):
- Main
- Thread