[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protection of port 500

To: Dan McDonald <Dan.McDonald@Eng.Sun.COM>
Subject: Re: Protection of port 500
From: Matthew Franz <mfranz@cisco.com>
Date: Mon, 15 Jan 2001 22:15:19 +0000 (/etc/localtime)
cc: ipsec@lists.tislabs.com, Pervaiz Rizvi <shoaib21@juno.com>
In-Reply-To: <200101152255.f0FMt5v08187@kebe.Eng.Sun.COM>
Sender: owner-ipsec@lists.tislabs.com

> > On Mon, 15 Jan 2001, Pervaiz Rizvi wrote:
> > > Do you mean IPsec implementations silently
> > > ignore the configured policy to protect
> > > udp/500 with IPsec?
> > 
> > A configured policy which does not include an exception for UDP/500
> > (perhaps subject to other constraints) is erroneous and should be reported
> > as such. 
> 
> Another approach is to allow trusted applications (e.g. an IKE daemon) to
> bypass the appropriate port(s) because the application is trusted to protect
> itself.
> 
> In Solaris, for example, utter "man ipsec" and look for "Per-Socket Policy".
> 

Isn't this approach just looking for trouble? Can applications be trusted
to protect themselves from, let's say, from DoS attacks? I'd want at least
the option of some lower layer policy enforcement (ACLs, filters, etc.) in
additon to whatever the app layer provides.

-mdf

Follow-Ups:

Re: Protection of port 500

From: Dan McDonald <Dan.McDonald@Eng.Sun.COM>

References:

Re: Protection of port 500

From: Dan McDonald <Dan.McDonald@Eng.Sun.COM>

Prev by Date: Re: Inbound processing of ESP packet
Next by Date: Manual SA SPI range
Prev by thread: Re: Protection of port 500
Next by thread: Re: Protection of port 500
Index(es):
- Main
- Thread