[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IKEv2 traffic selector subsetting.



On Wed, 19 Dec 2001, Andrew Krywaniuk wrote:
> It seems to me that 2401 is trying to skirt the issue by integrating the
> functionality of a very basic firewall into IPsec (thus *causing* the SADB
> and firewall to be on the same machine).

Exactly!  This is never advertised as such in the IPsec documents for some
unfathomable reason -- much confusion would be saved if it were made more
explicit -- but they basically include a specification for an
Internet-standard minimum firewall mechanism.

Firewalls are, very obviously when you think about it, a vital part of IP
security.  And that's what "IPsec" stands for; it's not just encryption. 

> But it is an incomplete solution
> because you may still need an external firewall.

Why?  Note that the IPsec specs set a minimum requirement only; they don't
prohibit adding any further functionality you may need. 

> I just prefer a different
> solution, in which IPsec cooperates with (or merges with) the firewall
> rather than duplicating one part of its functionality.

Why do you assume that this is a different solution?

                                                          Henry Spencer
                                                       henry@spsystems.net



Follow-Ups: References: