[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard




JGC writes:
> The option to supply port information means that security can be
> downgraded (i.e. the ports can be revealed) when a management
> application needs to run (for troubleshooting purposes, for example) and
> then can easily be switched on.

You can do that by turning off ESP and switching to AH for a while if
you need to for troubleshooting. You don't need to ruin the protocol
to do that.

> This would be a very valuable service.  In addition some devices
> characterize traffic priority based on ports (and other information)
> and in the presence of an IPSEC packet these devices would not work
> (which is of course a classic example of the security/functionality
> trade off).

I dunno what the lost functionality is. You can still label your
packets with TOS markings.

Perry


References: