[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protection of port 500

To: ipsec@lists.tislabs.com
Subject: Re: Protection of port 500
From: Dan McDonald <Dan.McDonald@Eng.Sun.COM>
Date: Mon, 15 Jan 2001 14:55:05 -0800 (PST)
CC: Pervaiz Rizvi <shoaib21@juno.com>
In-Reply-To: <Pine.BSI.3.91.1010115170348.20128D-100000@spsystems.net> from HenrySpencer at "Jan 15, 2001 05:05:39 pm"
Organization: Sun Microsystems, Inc. - Solaris Internet Engineering
Sender: owner-ipsec@lists.tislabs.com

> On Mon, 15 Jan 2001, Pervaiz Rizvi wrote:
> > Do you mean IPsec implementations silently
> > ignore the configured policy to protect
> > udp/500 with IPsec?
> 
> A configured policy which does not include an exception for UDP/500
> (perhaps subject to other constraints) is erroneous and should be reported
> as such. 

Another approach is to allow trusted applications (e.g. an IKE daemon) to
bypass the appropriate port(s) because the application is trusted to protect
itself.

In Solaris, for example, utter "man ipsec" and look for "Per-Socket Policy".

Dan

Follow-Ups:

Re: Protection of port 500

From: Matthew Franz <mfranz@cisco.com>

References:

Re: Protection of port 500

From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: Protection of port 500
Next by Date: Re: Inbound processing of ESP packet
Prev by thread: Re: Protection of port 500
Next by thread: Re: Protection of port 500
Index(es):
- Main
- Thread