[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IKEv2 traffic selector subsetting.

To: "'Henry Spencer'" <henry@spsystems.net>, "'Andrew Krywaniuk'" <andrew.krywaniuk@alcatel.com>
Subject: RE: IKEv2 traffic selector subsetting.
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Sun, 23 Dec 2001 23:56:32 -0500
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <Pine.BSI.3.91.1011220121146.4274B-100000@spsystems.net>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

> > It seems to me that 2401 is trying to skirt the issue by
> integrating the
> > functionality of a very basic firewall into IPsec (thus
> *causing* the SADB
> > and firewall to be on the same machine).

> Exactly!  This is never advertised as such in the IPsec
> documents for some
> unfathomable reason -- much confusion would be saved if it
> were made more
> explicit -- but they basically include a specification for an
> Internet-standard minimum firewall mechanism.


Which brings us right back to the original point of the thread. Traditional
firewalls enforce a policy without advertising it. IPsec SPD firewalls add
this extra 'selector negotiation' feature. However, the IPsec selectors are
not adequate to express the entire spectrum of what a fully featured
firewall can use. I prefer the model in which each side merely enforces its
own policy.

If you desire the capability to detect and avoid black holes (a feature not
found in traditional firewalls), then it would be preferable for both peers
to issue ukases describing what types of traffic they are willing to accept.
This avoids the aforementioned problem where the responder chooses selectors
that don't match the triggering packet, and it makes it easy to add or
delete policies without renegotiating the SA.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.



> -----Original Message-----
> From: Henry Spencer [mailto:henry@spsystems.net]
> Sent: Thursday, December 20, 2001 12:16 PM
> To: Andrew Krywaniuk
> Cc: ipsec@lists.tislabs.com
> Subject: RE: IKEv2 traffic selector subsetting.
>
>
> On Wed, 19 Dec 2001, Andrew Krywaniuk wrote:
> > It seems to me that 2401 is trying to skirt the issue by
> integrating the
> > functionality of a very basic firewall into IPsec (thus
> *causing* the SADB
> > and firewall to be on the same machine).
>
> Exactly!  This is never advertised as such in the IPsec
> documents for some
> unfathomable reason -- much confusion would be saved if it
> were made more
> explicit -- but they basically include a specification for an
> Internet-standard minimum firewall mechanism.
>
> Firewalls are, very obviously when you think about it, a
> vital part of IP
> security.  And that's what "IPsec" stands for; it's not just
> encryption.
>
> > But it is an incomplete solution
> > because you may still need an external firewall.
>
> Why?  Note that the IPsec specs set a minimum requirement
> only; they don't
> prohibit adding any further functionality you may need.
>
> > I just prefer a different
> > solution, in which IPsec cooperates with (or merges with)
> the firewall
> > rather than duplicating one part of its functionality.
>
> Why do you assume that this is a different solution?
>
>
> Henry Spencer
>
> henry@spsystems.net
>
>

Follow-Ups:

RE: IKEv2 traffic selector subsetting.

From: Stephen Kent <kent@bbn.com>

RE: IKEv2 traffic selector subsetting.

From: Henry Spencer <henry@spsystems.net>

References:

RE: IKEv2 traffic selector subsetting.

From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: draft-ietf-ipsec-son-of-ike-protocol-reqts-00.txt
Next by Date: RE: IKEv2 traffic selector subsetting.
Prev by thread: RE: IKEv2 traffic selector subsetting.
Next by thread: RE: IKEv2 traffic selector subsetting.
Index(es):
- Main
- Thread