[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec in tunnel mode and dynamic routing
Henry Spencer wrote:
> On Mon, 19 Nov 2001, Joe Touch wrote:
>
>>FWIW - this is yet another place where I'd prefer to let firewall rules
>>do their job, and IPsec to its.
>>
>
> I think you're missing an important point: the "sec" in "IPsec" stands
> for "security", and that encompasses more than just encryption and
> authentication. In particular, packet access controls are *inherently*
> part of IP security; they are not a separate issue. IPsec's SPD *is* a
> firewall, and it is a necessary part of IPsec.
IPsec already requires that a packet, once decrypted or authenticated,
passes _with_ that information thoughout the rest of the IP processing.
The packet is allowed to leave IPsec and re-enter.
There is no reason to incorporate redundant functions in IPsec to make
it monolithic.
>>The "full glory" (IMO) here lies in modularization rather than a stovepipe.
>
> Modularization is all very well for *mechanisms*,
Actually, it is intended for implementations as well.
> but there has to be
> unified *policy* control of the mechanisms if real security is to result.
Which is why packets must carry the security info with them.
> There is nothing that says you can't implement the SPD using existing
> firewall machinery, but it has to be done somehow. Leaving the firewall
> in ignorance of what's going on with IPsec -- either by separating the two
> completely, or by losing information when IPsec throws a packet over the
> fence to the firewall -- does not work.
Ahh- disconnnect on my part with the term 'firewall' - I meant
'firewall rules', as per ipfw. The entirety of what is considered
a firewall includes both ipfw and IPsec, in that case.
Joe
References: