[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec vs. firewalls

To: ipsec@tis.com
Subject: Re: ipsec vs. firewalls
From: Joe Tardo <jtardo@freegate.com>
Date: Fri, 08 May 1998 09:43:44 -0700
Cc: Steve Bellovin <smb@research.att.com>
Sender: owner-ipsec@ex.tis.com

At 08:12 PM 5/6/98 -0700, Steve Bellovin wrote:

>I came up with a disturbing conflict between ubiquitous IPSEC and
>common firewall policies.  I'm not certain how to resolve it,
>either.
>
>A common firewall policy permits most outgoing calls.  (The
>requirement to authenticate such calls, say via AH from the inside
>host to the firewall, wouldn't affect what comes next.)  Suppose,
>though, that the inside host wants to use ESP for end-to-end
>encryption to the destination.  How will the firewall inspect the
>return packet?

Why not just have included a 'return' SPI in the header?

Also, firewalls aren't showing signs of going away anytime soon. Even
if they were, 'feature creep' seems to be leading firewall and router
vendors into passive 'QOS', which uses almost identical packet
classification selector schemes as firewalls (and, I might add, IPsec). 
Your issue isn't just with firewalls, it's with this whole industry 
of 'packet snooping' boxes that seem to have been luking at every turn
at Interop this week.

-- Joe

Follow-Ups:

Re: ipsec vs. firewalls

From: Gabriel Montenegro <gab@Eng.Sun.Com>

Prev by Date: Re: question about tunnel mode
Next by Date: Re: ipsec vs. firewalls
Prev by thread: Re: ipsec vs. firewalls
Next by thread: Re: ipsec vs. firewalls
Index(es):
- Main
- Thread