[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Windows 2000 and Cicsco router interoperability
I think that is what most of us feel.
chinna
On Tue, 16 May 2000, Chris Trobridge wrote:
> > From: CHINNA N.R. PELLACURU [mailto:pcn@cisco.com]
> > Sent: 16 May 2000 17:06
> > To: Chris Trobridge
> > Cc: Stephen Kent; Andrew Krywaniuk; 'Jan Vilhuber';
> > ipsec@lists.tislabs.com
> > Subject: RE: Windows 2000 and Cicsco router interoperability
> >
> >
> > So, you want filtering in IPSec, but you really think the filtering in
> > IPSec is primitive, and really feel that it should be handled
> > elsewhere!
>
> That's not what I wrote!
>
> There already is strongly coupled filtering, if a little primitive, in
> IPSEC. It is stronger because the filtering ties up the IP addresses with
> the SA selector. This information may be lost if the checking is done
> later. The filtering is primitive because the selector rules don't cope
> with policy like "ftp to host A, pop3 or smtp to host B, or http to hosts C
> or D" - they allow a limited specification of ranges/wildcards.
>
> I don't think the filtering should be done in IPSEC but it should take
> account of the IPSEC SA. I think the principle role of IPSEC should be to
> provide secure communications between two points - eg provide services for
> traffic confidentiality, authentication and integrity between two points.
> Access control etc I think should be elsewhere.
>
> Chris
>
> > chinna
> >
> > On Tue, 16 May 2000, Chris Trobridge wrote:
> >
> > > The point is that with an IPSEC SA traffic is only allowed
> > that matches the
> > > selector for that SA. In the access control case this
> > means you can enforce
> > > that anyone who connects via an IPSEC tunnel can only send
> > or receive
> > > datagrams associated with his client address. This
> > prevents him from
> > > spoofing other clients or hosts and from receiving traffic
> > not addressed to
> > > him.
> > >
> > > The moment you tunnel L2TP through an SA IPSEC loses its
> > ability to perform
> > > this filtering. Depending on the whether 'extra' work has
> > been done, once
> > > IPSEC processing has been completed the L2TP layer will not
> > know via which
> > > SA a datagram was received, allowing a client to spoof
> > other addresses.
> > >
> > > However, I agree with Andrew: The packet filtering in
> > IPSEC is rather
> > > primitive and would be better provided via an IPSEC aware firewall.
> > >
> > > Chris
>
chinna narasimha reddy pellacuru
s/w engineer
Follow-Ups:
References: