[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Windows 2000 and Cicsco router interoperability

To: "CHINNA N.R. PELLACURU" <pcn@cisco.com>
Subject: RE: Windows 2000 and Cicsco router interoperability
From: Chris Trobridge <CTrobridge@baltimore.com>
Date: Tue, 16 May 2000 17:59:55 +0100
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com

> From: CHINNA N.R. PELLACURU [mailto:pcn@cisco.com]
> Sent: 16 May 2000 17:06
> To: Chris Trobridge
> Cc: Stephen Kent; Andrew Krywaniuk; 'Jan Vilhuber';
> ipsec@lists.tislabs.com
> Subject: RE: Windows 2000 and Cicsco router interoperability
> 
> 
> So, you want filtering in IPSec, but you really think the filtering in
> IPSec is primitive, and really feel that it should be handled 
> elsewhere!

That's not what I wrote!

There already is strongly coupled filtering, if a little primitive, in
IPSEC.  It is stronger because the filtering ties up the IP addresses with
the SA selector.  This information may be lost if the checking is done
later.  The filtering is primitive because the selector rules don't cope
with policy like "ftp to host A, pop3 or smtp to host B, or http to hosts C
or D" - they allow a limited specification of ranges/wildcards.

I don't think the filtering should be done in IPSEC but it should take
account of the IPSEC SA.  I think the principle role of IPSEC should be to
provide secure communications between two points - eg provide services for
traffic confidentiality, authentication and integrity between two points.
Access control etc I think should be elsewhere.

Chris

>     chinna
> 
> On Tue, 16 May 2000, Chris Trobridge wrote:
> 
> > The point is that with an IPSEC SA traffic is only allowed 
> that matches the
> > selector for that SA.  In the access control case this 
> means you can enforce
> > that anyone who connects via an IPSEC tunnel can only send 
> or receive
> > datagrams associated with his client address.  This 
> prevents him from
> > spoofing other clients or hosts and from receiving traffic 
> not addressed to
> > him.
> > 
> > The moment you tunnel L2TP through an SA IPSEC loses its 
> ability to perform
> > this filtering.  Depending on the whether 'extra' work has 
> been done, once
> > IPSEC processing has been completed the L2TP layer will not 
> know via which
> > SA a datagram was received, allowing a client to spoof 
> other addresses.
> > 
> > However, I agree with Andrew:  The packet filtering in 
> IPSEC is rather
> > primitive and would be better provided via an IPSEC aware firewall.
> > 
> > Chris

Follow-Ups:

RE: Windows 2000 and Cicsco router interoperability

From: "CHINNA N.R. PELLACURU" <pcn@cisco.com>

Prev by Date: RE: Windows 2000 and Cicsco router interoperability
Next by Date: RE: Windows 2000 and Cicsco router interoperability
Prev by thread: Re: Windows 2000 and Cicsco router interoperability
Next by thread: RE: Windows 2000 and Cicsco router interoperability
Index(es):
- Main
- Thread