[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: using por numbers in selectors

To: bkavsan@ire-ma.com (Slava Kavsan)
Subject: Re: using por numbers in selectors
From: Dan McDonald <danmcd@Eng.Sun.Com>
Date: Tue, 22 Jun 1999 15:45:30 -0700 (PDT)
Cc: skelly@redcreek.com, dharkins@network-alchemy.com, ipsec@lists.tislabs.com
In-Reply-To: <376FDFB2.678FD4A@ire-ma.com> from "Slava Kavsan" at Jun 22, 99 03:10:42 pm
Sender: owner-ipsec@lists.tislabs.com

> I am talking about FTP ports (within TCP protocol, of course).
> FTP ports (typically) means port 21 and 20. But often it also means 21 and
> some-other-dynamicaly-assigned port - what should be done in this case for
> selectors?

Wildcard the some-other-port bit, of course.

> The whole issue of bringing port selectors into IPSec is a big mistake to
> begin with (IMHO) - ports belong in the Transport Layer, not to IP
> layer. Bringing them into IPSec is a poor attempt to filter traffic based
> on selectors that is better implemented by Transport Layers security or
> firewalls.

Do you write end-system code that extensively uses transport mode IPsec at
all?  I'll bet you don't, because if you did you'd totally understand why
port selectors are there in the first place.

Do you have customers asking you if you can secure their legacy apps
end-to-end with IPsec?  I do.

And yes, Solaris IPsec has port selectors and/or per-socket IPsec policy.

To answer Dan H's question about precedence, we parse in order of rule-entry,
so it's up to the admin to decide how a question of conflict gets answered.

Dan McD. (the other Dan)

References:

Re: using por numbers in selectors

From: Slava Kavsan <bkavsan@ire-ma.com>

Prev by Date: Re: using por numbers in selectors
Next by Date: Re: draft-ietf-ipsec-notifymsg-00.txt (long)
Prev by thread: Re: using por numbers in selectors
Next by thread: Re: using por numbers in selectors
Index(es):
- Main
- Thread