[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bruce Schneier on IPsec

To: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Subject: Re: Bruce Schneier on IPsec
From: Henry Spencer <henry@spsystems.net>
Date: Tue, 1 Feb 2000 12:50:47 -0500 (EST)
cc: karn@qualcomm.com, msa@hemuli.tte.vtt.fi, sandy@storm.ca, ipsec@lists.tislabs.com
In-Reply-To: <200002011241.MAA19451@orchard.arlington.ma.us>
Sender: owner-ipsec@lists.tislabs.com

On Tue, 1 Feb 2000, Bill Sommerfeld wrote:
> [is tunnel mode superfluous?]
> Now, if all of your interfaces (including your tunnels) are set up
> with appropriate inbound filters, this isn't a big deal, but
> traditionally, that sort of filtering is not part of an IP stack.

It may not be traditional, but it is increasingly common in the real
world.  And the sysadmins are not going to want to deal with two separate
filtering mechanisms, one inside IPSec and one for everything else.

> Always having the inner ip header (making the outer ip header
> irrelevant) would allow the check to always be done as part of ipsec
> rather than over in some other part of the system.

And this is important why?

                                                          Henry Spencer
                                                       henry@spsystems.net

Follow-Ups:

Re: Bruce Schneier on IPsec

From: Phil Karn <karn@ka9q.ampr.org>

References:

Re: Bruce Schneier on IPsec

From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>

Prev by Date: Racing IKE SAs Revisited
Next by Date: Re: Bruce Schneier on IPsec
Prev by thread: Re: Bruce Schneier on IPsec
Next by thread: Re: Bruce Schneier on IPsec
Index(es):
- Main
- Thread