[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec Complexity

To: Sudeep_Khuraijam@3com.com
Subject: Re: IPSec Complexity
From: Dan Harkins <dharkins@network-alchemy.com>
Date: Fri, 18 Feb 2000 11:37:27 -0800
cc: Skip Booth <ebooth@cisco.com>, Stephen Kent <kent@bbn.com>, ipsec@lists.tislabs.com
In-reply-to: Your message of "Fri, 18 Feb 2000 11:20:03 PST." <88256889.0069FA73.00@hqoutbound.ops.3com.com>
Sender: owner-ipsec@lists.tislabs.com

  Nobody said that IPSec will replace/reinvent all access control policies.
I just said that IPSec has access control mechanisms and by doing transport
mode on some other tunneling method-- IPinIP or L2TP-- you lose that. Period.

  Dan.

On Fri, 18 Feb 2000 11:20:03 PST you wrote
> 
> >  You're right that most people won't really care that much whether FTP
> >and telnet have different algorithms applied to protect them but they
> >would probably care if putting a protect selector for L2TP, e.g.
> >           "10.10.10.1 udp <---> 172.16.2.1 udp 1701 protect"
> >would implicitly make a bypass selector for everything, e.g.
> >           "any <--> any allow"
> 
> Not so, if we step out side the IPSec only paradigm.  It is inadequate to ass
>ume
>  that IPSec
> will replace/reinvent all access control policies that have been in place.
> There are gateways that can apply on the fly ACLs on per connection basis.
> Such policies can be defined per group/per user/per host and deployed via LDA
>P.
> Using Selector lists to define access control does not scale and is
> operationally
> inefficient.

Follow-Ups:

Re: IPSec Complexity

From: Henry Spencer <henry@spsystems.net>

References:

Re: IPSec Complexity

From: Sudeep_Khuraijam@3com.com

Prev by Date: Re: IPSec Complexity
Next by Date: Re: IPSec Complexity
Prev by thread: Re: IPSec Complexity
Next by thread: Re: IPSec Complexity
Index(es):
- Main
- Thread