[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Protection of port 500

To: Dan McDonald <Dan.McDonald@Eng.Sun.COM>
Subject: Re: Protection of port 500
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Tue, 16 Jan 2001 11:48:47 +0100
cc: Matthew Franz <mfranz@cisco.com>, ipsec@lists.tislabs.com
In-reply-to: Your message of Mon, 15 Jan 2001 23:06:23 PST. <200101160706.f0G76NA23868@kebe.Eng.Sun.COM>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   > I'd want at least the option of some lower layer policy enforcement (ACLs,
   > filters, etc.) in additon to whatever the app layer provides.

   For such paranoia, a good implementation should allow that.  We allow
   node-wide policy to disallow even the root-restricted bypass privilege we
   normally allow.  We do not default to that, so that we can make our IKE
   daemon do per-socket bypass, as well as allow future versions of diagnostic
   tools (e.g. traceroute) to potentially bypass policy on a per-invocation
   basis.

=> FreeBSD 4.2 (and all BSDs with KAME based IPsec support) has a ping[6]
with a policy option. I have just tried with a remote site configured
with required ESP for everything and it works at you believe (ie. a ping
with no policy or the default output policy (out entrust) triggers IKE
exchanges and works after a small delay, the same with "out bypass" fails
because the peer rejects unprotected echo requests).
This is exactly what you have just described using your proposed API
(draft-mcdonald-simple-ipsec-api-01.txt) ideas...

Thanks

Francis.Dupont@enst-bretagne.fr

References:

Re: Protection of port 500

From: Dan McDonald <Dan.McDonald@Eng.Sun.COM>

Prev by Date: Re: Protection of port 500
Next by Date: ipsec error protocol
Prev by thread: Re: Protection of port 500
Next by thread: Re: Protection of port 500
Index(es):
- Main
- Thread