[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IKEv2 traffic selector subsetting.
On Wed, 19 Dec 2001, Andrew Krywaniuk wrote:
> It seems to me that 2401 is trying to skirt the issue by integrating the
> functionality of a very basic firewall into IPsec (thus *causing* the SADB
> and firewall to be on the same machine).
Exactly! This is never advertised as such in the IPsec documents for some
unfathomable reason -- much confusion would be saved if it were made more
explicit -- but they basically include a specification for an
Internet-standard minimum firewall mechanism.
Firewalls are, very obviously when you think about it, a vital part of IP
security. And that's what "IPsec" stands for; it's not just encryption.
> But it is an incomplete solution
> because you may still need an external firewall.
Why? Note that the IPsec specs set a minimum requirement only; they don't
prohibit adding any further functionality you may need.
> I just prefer a different
> solution, in which IPsec cooperates with (or merges with) the firewall
> rather than duplicating one part of its functionality.
Why do you assume that this is a different solution?
Henry Spencer
henry@spsystems.net
Follow-Ups:
References: