[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is TS agreement necessary?

To: Stephen Kent <kent@bbn.com>
Subject: Re: Is TS agreement necessary?
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Wed, 3 Apr 2002 18:54:13 -0800 (PST)
cc: ipsec mailling list <ipsec@lists.tislabs.com>
In-Reply-To: <p0510030fb8d14040f333@[128.89.88.34]>
Sender: owner-ipsec@lists.tislabs.com

On Wed, 3 Apr 2002, Stephen Kent wrote:
> Your descriptions have not yet convinced me, and others, that
> interoperability is achieved and at no loss of access control
> granularity.
>

I think we had a similar debate on this list about the access control
granularity of IPsec, and what are the concequences of loosing it, when
L2TP+IPsec (L2TP secured with IPsec to provide remote access) was
discussed on this list a couple of years ago.

First, we are talking about a peer that has successfully authenticated to
us in phase1(or its equivalent), and we have successfully identified who
the peer is. What is the point in someone strongly authenticating to us,
and then attacking us using a secured channel which has traffic source
authentication?

Secondly, isn't access control and intrusion detection much more than
looking at src/dst IP address, transport protocol and port? Yes, IPsec
provides limited access control, but how many deployments deem the access
control provided by IPsec sufficient, and not run Firewalls and IDS
systems, on all traffic, including the traffic that arrived/sent on IPsec
tunnels. The limited access control provided by IPsec may sometimes even
be regarded as a false sense of security, if people are not running a
firewall/IDS on the traffic that is protected by IPsec. We often see IPsec
and firewalls bundled as a single product, because if you want serious
access control and IDS, you should be running a firewall.

If an IPsec tunnel can be implemented in an interoperable manner to look
like a virtual point-to-point link, it can have a lot of benefits. The
IPsec secured virtual point-to-point link can be made visible to the
routing protocols, and we can run routing on that link to automatically
get the resiliency and all the other benefits provided by routing. No need
to run keepalives or DPDs, which only provide information of connectivity
to the IPsec gateways, and provide no information about the connectivity
to the traffic destination. We can route multicast traffic across the
point-to-point link too. Yes, we loose the limited access control that
IPsec provides, but any serious deployment would not soley depend on the
access control provided by IPsec.

Isn't the simplicity derived from not having to negotiate traffic
selectors in a key management/establishment protocol and not having to do
the job of routing (DPD/Keepalive) and other benefits mentioned above
worth sacrificing the limited access control provided by IPsec?

I feel that TS agreement is necessary atleast to the extent that, it would
be nice to come up with an interoperable way of treating the IPsec tunnel
as a point-to-point link.

chinna narasimha reddy pellacuru
s/w engineer

Follow-Ups:
- Re: Is TS agreement necessary?
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: Is TS agreement necessary?
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: FW: Dead peer detection
Next by Date: I-D ACTION:draft-ietf-ipsec-jfk-02.txt
Prev by thread: Re: Is TS agreement necessary?
Next by thread: Re: Is TS agreement necessary?
Index(es):
- Date
- Thread