Re: ipsec in tunnel mode and dynamic routing

[Henry Spencer <henry@spsystems.net>]

On Mon, 19 Nov 2001, Joe Touch wrote:
> FWIW - this is yet another place where I'd prefer to let firewall rules 
> do their job, and IPsec to its.

I think you're missing an important point:  the "sec" in "IPsec" stands
for "security", and that encompasses more than just encryption and
authentication.  In particular, packet access controls are *inherently*
part of IP security; they are not a separate issue.  IPsec's SPD *is* a
firewall, and it is a necessary part of IPsec. 

> The "full glory" (IMO) here lies in modularization rather than a stovepipe.

Modularization is all very well for *mechanisms*, but there has to be
unified *policy* control of the mechanisms if real security is to result. 
There is nothing that says you can't implement the SPD using existing
firewall machinery, but it has to be done somehow.  Leaving the firewall
in ignorance of what's going on with IPsec -- either by separating the two
completely, or by losing information when IPsec throws a packet over the
fence to the firewall -- does not work. 

                                                          Henry Spencer
                                                       henry@spsystems.net

---

Follow-Ups:

• Re: ipsec in tunnel mode and dynamic routing
• From: Lars Eggert <larse@ISI.EDU>
• Re: ipsec in tunnel mode and dynamic routing
• From: Joe Touch <touch@ISI.EDU>

References:

• Re: ipsec in tunnel mode and dynamic routing
• From: Joe Touch <touch@ISI.EDU>

---

• Prev by Date: Re: SOI: identity protection and DOS
• Next by Date: Re: ipsec in tunnel mode and dynamic routing
• Prev by thread: Re: ipsec in tunnel mode and dynamic routing
• Next by thread: Re: ipsec in tunnel mode and dynamic routing
• Index(es):
  • Main
  • Thread