RE: Windows 2000 and Cicsco router interoperability

[Stephen Kent <kent@bbn.com>]

At 11:41 AM -0700 5/14/00, Jan Vilhuber wrote:
>In some people's minds, it's an acceptable trade-off, and others wil think
>differently.
>
>Personally, I don't see much difference with doing a check after decryption
>and decapsulation, than doing it before. Yes, you may loose some context, but
>so what.
>
>You can either burden IKE and IPSEC with a whole bunch more mechanisms for
>user-authentication, authorization, and accounting, thus making the protocols
>even MORE complex (and thus less likely to be completely understood and
>analyzed for weaknesses), OR you can combine two simple (relatively)
>mechanisms, and combine them. In fact, it precisely because I DON'T want to
>revisit these protocols, that I'm advocating l2tp+ipsec.
>
>The loss of security you claim exists there, I don't see.
>
>jan

As I noted, if one has lost the binding between a packet and the SA 
via which it arrived, because the access control decision is being 
made outside the IPsec module, then this decision is being made based 
on unauthenticated inputs, which is no better than what one gets from 
a typical firewall w/o IPsec.  I'd say this is a significant 
degradation of the security potential offered by IPsec.

Steve

---

Follow-Ups:

• Re: Windows 2000 and Cicsco router interoperability
• From: "W. Mark Townsley" <townsley@cisco.com>

References:

• RE: Windows 2000 and Cicsco router interoperability
• From: Jan Vilhuber <vilhuber@cisco.com>

---

• Prev by Date: Re: generate certificate in Win2K
• Next by Date: Re: Windows 2000 and Cicsco router interoperability
• Prev by thread: RE: Windows 2000 and Cicsco router interoperability
• Next by thread: Re: Windows 2000 and Cicsco router interoperability
• Index(es):
  • Main
  • Thread