Re: ipsec in tunnel mode and dynamic routing

[Lars Eggert <larse@ISI.EDU>]

Henry Spencer wrote:

> Modularization is all very well for *mechanisms*, but there has to be
> unified *policy* control of the mechanisms if real security is to result. 
> There is nothing that says you can't implement the SPD using existing
> firewall machinery, but it has to be done somehow.  Leaving the firewall
> in ignorance of what's going on with IPsec -- either by separating the two
> completely, or by losing information when IPsec throws a packet over the
> fence to the firewall -- does not work. 

Exactly! Retaining enough context during IPsec processing for later 
stages is required to make this work, and the ID discusses this.

That said, most IPsec implementations choose the "do everything 
internally" approach, and duplicate just enough of existing mechanisms 
to make IPsec work, but not enough to make the need for existing 
mechanisms go away. Thus, you end up with a system with 5 different 
tunneling mechanisms and 3 different places that try to make routing 
decisions, and nothing integrates.

So yes, we agree that security *policies* must cover much of network 
processing, but the *implementation* shouldn't need to re-implement 
every networking mechanisms inside IPsec (or SCTP for that matter...)

Lars
-- 
Lars Eggert <larse@isi.edu>               Information Sciences Institute
http://www.isi.edu/larse/              University of Southern California

---

References:

• Re: ipsec in tunnel mode and dynamic routing
• From: Henry Spencer <henry@spsystems.net>

---

• Prev by Date: Re: ipsec in tunnel mode and dynamic routing
• Next by Date: Re: ipsec in tunnel mode and dynamic routing
• Prev by thread: Re: ipsec in tunnel mode and dynamic routing
• Next by thread: Re: ipsec in tunnel mode and dynamic routing
• Index(es):
  • Main
  • Thread