[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
JGC writes:
> The option to supply port information means that security can be
> downgraded (i.e. the ports can be revealed) when a management
> application needs to run (for troubleshooting purposes, for example) and
> then can easily be switched on.
You can do that by turning off ESP and switching to AH for a while if
you need to for troubleshooting. You don't need to ruin the protocol
to do that.
> This would be a very valuable service. In addition some devices
> characterize traffic priority based on ports (and other information)
> and in the presence of an IPSEC packet these devices would not work
> (which is of course a classic example of the security/functionality
> trade off).
I dunno what the lost functionality is. You can still label your
packets with TOS markings.
Perry
References: