[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: some issues about IPSec

To: ipsec@tis.com
Subject: Re: some issues about IPSec
From: Bronislav Kavsan <bkavsan@ire-ma.com>
Date: Fri, 23 Jan 1998 15:44:34 -0500
References: <Pine.LNX.3.95.980123102134.20040E-100000@laurent.osgroup.com> <34C8C7CC.C48@fet.com>
Reply-To: bkavsan@ire-ma.com
Sender: owner-ipsec@ex.tis.com



Scott G. Kelly wrote:

> One benefit is that it provides the end-user with the capability to
> negotiate security association attributes on its own behalf. Perhaps the
> end-user desires stronger security than the sgw configuration would
> permit. Perhaps the sgw services so many endusers that the granularity
> of its SPD is not sufficient to provide for the varied needs of its
> clients.

You can do end-user to end-usr in tunnel mode - therefore I don't buy this
argument.

>
>
> Perhaps a stronger argument exists in terms of overhead concerns. If the
> enduser provides its own security service, that's one less
> (encapsulating) ip header on the packet. Further, it relieves (in the
> short term) concerns of bottlenecks at sgw's which may not have the
> processing power and memory to provide the granularity necessary to
> provide for every client's needs at wireline speeds.

I don't buy this argument either - there is no need for double-encapsulation -
just establish end-to-end tunnel.

--
Bronislav Kavsan
IRE Secure Solutions, Inc.
100 Conifer Hill Drive  Suite 513
Danvers, MA  01923
voice: 978-739-2384
http://www.ire.com

Follow-Ups:

Re: some issues about IPSec

From: "Scott G. Kelly" <scott@fet.com>

References:

Re: some issues about IPSec

From: Engineering <osgroup@laurent.osgroup.com>

Re: some issues about IPSec

From: "Scott G. Kelly" <scott@fet.com>

Prev by Date: Re: Per-socket policy and ISAKMP
Next by Date: Re: some issues about IPSec
Prev by thread: Re: some issues about IPSec
Next by thread: Re: some issues about IPSec
Index(es):
- Main
- Thread