[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec Complexity
Nobody said that IPSec will replace/reinvent all access control policies.
I just said that IPSec has access control mechanisms and by doing transport
mode on some other tunneling method-- IPinIP or L2TP-- you lose that. Period.
Dan.
On Fri, 18 Feb 2000 11:20:03 PST you wrote
>
> > You're right that most people won't really care that much whether FTP
> >and telnet have different algorithms applied to protect them but they
> >would probably care if putting a protect selector for L2TP, e.g.
> > "10.10.10.1 udp <---> 172.16.2.1 udp 1701 protect"
> >would implicitly make a bypass selector for everything, e.g.
> > "any <--> any allow"
>
> Not so, if we step out side the IPSec only paradigm. It is inadequate to ass
>ume
> that IPSec
> will replace/reinvent all access control policies that have been in place.
> There are gateways that can apply on the fly ACLs on per connection basis.
> Such policies can be defined per group/per user/per host and deployed via LDA
>P.
> Using Selector lists to define access control does not scale and is
> operationally
> inefficient.
Follow-Ups:
References: