[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPsec and RTP crypto
At 7:09 PM -0400 4/4/01, Henry Spencer wrote:
>On Wed, 4 Apr 2001, Michael Thomas wrote:
>> I seem to recall Bill Sommerfeld making similar
>> remarks as Jeff about Sun's stack and I think
>> I remember that Freeswan doesn't have the ability
>> to filter off of ports yet...
>
>Correct on the FreeS/WAN part (can't answer for Sun!). This is being
>fixed, although as Sandy commented, we belong to the faction which says
>that you are usually better off just encrypting *everything* -- if only
>because it denies useful information to the bad guys -- unless there are
>truly compelling reasons not to.
>
Port-level SPD selectors, like all other SPD entry selectors, are
part of an access control mechanism, as described in 2401. So, even
if one does elect to "encrypt everything" to a destination, there is
good reason for complying with the standard in this regard.
Steve
References: