[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec Complexity

To: Dan Harkins <dharkins@network-alchemy.com>
Subject: Re: IPSec Complexity
From: Sudeep_Khuraijam@3com.com
Date: Fri, 18 Feb 2000 11:20:03 -0800
cc: Skip Booth <ebooth@cisco.com>, Stephen Kent <kent@bbn.com>, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com







>  It's not just deciding whether to protect a certain flow with 3DES and
>SHA and the other with DES and MD5 (your example). A selector can also
>specify an action of "drop". If you tunnel something through UDP and
>do IPSec protection on the UDP traffic then you're opening up your entire
>network to whatever the peer decides to put in the tunnel.

>  You're right that most people won't really care that much whether FTP
>and telnet have different algorithms applied to protect them but they
>would probably care if putting a protect selector for L2TP, e.g.
>           "10.10.10.1 udp <---> 172.16.2.1 udp 1701 protect"
>would implicitly make a bypass selector for everything, e.g.
>           "any <--> any allow"

Not so, if we step out side the IPSec only paradigm.  It is inadequate to assume
 that IPSec
will replace/reinvent all access control policies that have been in place.
There are gateways that can apply on the fly ACLs on per connection basis.
Such policies can be defined per group/per user/per host and deployed via LDAP.
Using Selector lists to define access control does not scale and is
operationally
inefficient.

Sudeep

Follow-Ups:

Re: IPSec Complexity

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: Re: IPSec Complexity
Next by Date: Re: IPSec Complexity
Prev by thread: RE: IPSec Complexity
Next by thread: Re: IPSec Complexity
Index(es):
- Main
- Thread