[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IKEv2 traffic selector subsetting.

To: ipsec@lists.tislabs.com
Subject: Re: IKEv2 traffic selector subsetting.
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Wed, 19 Dec 2001 22:49:17 -0500
In-reply-to: Your message of "Wed, 19 Dec 2001 19:07:47 EST." <005701c188ee$478f4450$8e2cb440@andrewk3.ca.newbridge.com>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Andrew" == Andrew Krywaniuk <andrew.krywaniuk@alcatel.com> writes:
    Andrew> What I am saying is that there are basically 3 different levels
    Andrew> at which the SA binding can be done:

    Andrew> 1) Do NO filtering at the SADB and pass the SA context
    Andrew> information up to the firewall ala draft-touch.

    Andrew> 2) Do the SA binding at the SADB and do the firewall filtering at
    Andrew> the firewall.

    Andrew> 3) Do BOTH the SA binding and firewall filtering at the SADB,
    Andrew> which is what it seems you are proposing.

  I guess I just don't get the problem. I must say that I was lost during
Joe's presentation as well.

  Unless you are a BITS/BITW, then I don't see why you have both an SPD/SADB
and a firewall. Sure, there are time-to-market issues why you do both for
awhile. There are also political issues (turf wars) too.
  
  But, if you can architect from scratch, rfc2401 is simply "IETF standard
firewall". It happens to include strong source origination checking. It is
lacking any kind of support for stateful fragment or connection tracking, but 
it doesn't forbid that.

  In the *BSD world, people talk about combining IPF and the KAME SPD.
  In the FreeSWAN world, we plan to use the Netfilter system to implement our 
SPD. (Yes, there is an ordering constraint issue, but decorolation solves it, 
and our UI isn't compliant about the ordering constraint at this time anyway)

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBPCFfuoqHRg3pndX9AQH0awP/Z4EDTSQyCAFGTtOdPmDDhjb5v8kFYjyw
ZjLDPnI03+FvQtXm41lWNLtOaN2I6CUztQBUWATZBZafuZ/XFaIhAB5CMaybeeSn
LX3JXaFDkvxqtK6Nf0IlVhDbE47S+aV+7mJqCmBm6N197XaObQpLiVUy/veZ2/w1
EvKbA13GFUI=
=7zy2
-----END PGP SIGNATURE-----

References:

RE: IKEv2 traffic selector subsetting.

From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: RE: IKEv2 traffic selector subsetting.
Next by Date: RE: Should Alice say who she wants to talk to?
Prev by thread: RE: IKEv2 traffic selector subsetting.
Next by thread: RE: IKEv2 traffic selector subsetting.
Index(es):
- Main
- Thread