[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: a drop/bypass action negotiation issue
Alexei
> The arch. draft introduces two additional
> supported filtering actions, such as 'drop' and 'bypass'.
> Unfortunately, there is no defined way to _negotiate_
> these actions with a remote peer.
You have raised an interesting point. I have been thinking about the
drop and bypass functions as mechanisms used by the security
administrator to specify policy. From that perspective, I would not
want any one else to be able to _negotiate_ any changes to the local
policy. However, if the local policy is to permit some trusted
parties to poke holes in the firewall, then I can see your view.
However, it could still be argued that the local policy is not being
negotiated, only the use of a different preexisting policy entry.
IPSecond seems like the right place to explore the requirements.
Charlie