[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec in tunnel mode and dynamic routing
At 2:03 PM -0800 11/30/01, Joe Touch wrote:
>Stephen Kent wrote:
>
>>
>>2401 requires that the SA binding be maintained only within the
>>IPsec implementation. I understood your comments to suggest
>>something else, e.g., a separate firewall module not part of IPsec.
>>If I misunderstood, I apologize.
>
>
>We want the SA is kept outside the IPsec, so that packets that pass
>through other modules in the meantime will retain their SA, e.g.,
>Sec 8.4.
>
>Joe
Joe,
Your sentence is not well formed, but I suspect we do have a serious
disagreement here.
An SA is an IPsec concept and thus it exists only within an IPsec
module. IPsec has never been just an encryption protocol, although
some have suggested otherwise. Encryption, by itself, does not
provide protection against the major forms of attack that most
Internet users experience. Rather, access control is the security
service that is the focus of most security mechanisms that we employ,
if one remembers that the primary motivation for authentication (user
or otherwise) is as an input to an access control decision.
Since the authentication of the other IPsec peer is an IPsec
function, it makes sense to retain that authentication info and use
it to filter traffic within IPsec, i.e., to perform identity-based
access control enforcement there.
Steve
References: