[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using por numbers in selectors



I am talking about FTP ports (within TCP protocol, of course).
FTP ports (typically) means port 21 and 20. But often it also means 21 and
some-other-dynamicaly-assigned port - what should be done in this case for
selectors?

The whole issue of bringing port selectors into IPSec is a big mistake to begin
with (IMHO) - ports belong in the Transport Layer, not to IP layer. Bringing
them into IPSec is a poor attempt to filter traffic based on selectors that is
better implemented by Transport Layers security or firewalls.


"Scott G. Kelly" wrote:

> Slava Kavsan wrote:
> >
> > ...and what do you do if the Policy says use FTP port -  but FTP-data port
> > is dynamically assigned? Same for HTTP.
>
> I may be misunderstanding, but this sounds like an implementation
> problem, and one that is completely unrelated to the original question
> at that. First of all, the "protocols" supported as selectors only
> include those IP protocols with IANA numbers, of which FTP is not one.
>
> Secondly, if your configuration utility permits someone to specify "use
> FTP port" with no further indication of what "FTP port" means, then I
> guess it is up to your implementation to know that FTP runs over TCP,
> and to dynamically track which TCP ports are being used for FTP by the
> systems it is protecting. This is admittedly a can of worms, but I don't
> think it means we shouldn't support port numbers (or ranges, or
> wildcards) in selectors.
>
> Scott

--
Bronislav Kavsan
IRE Secure Solutions, Inc.
100 Conifer Hill Drive  Suite 513
Danvers, MA  01923
voice: 978-739-2384
http://www.ire.com





Follow-Ups: References: