[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.3 Authentication styles

To: Stephen Kent <kent@bbn.com>
Subject: Re: SOI QUESTIONS: 2.3 Authentication styles
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Wed, 19 Jun 2002 16:44:47 -0700 (PDT)
cc: ipsec@lists.tislabs.com
In-Reply-To: <p0510030bb936bf14adbb@[12.159.173.142]>
Sender: owner-ipsec@lists.tislabs.com

On Wed, 19 Jun 2002, Stephen Kent wrote:

> At 3:49 PM -0700 6/19/02, Chinna N.R. Pellacuru wrote:
> >Hi Steve,
> >
> >Can you please elaborate on what access control features IPsec provides.
> >
> >I think we discussed the access control features of IPsec not very long
> >ago in this forum, and decided that we acknowledge that IPsec doesn't
> >provide much of any access control features.
> >
> >     thanks,
> >     chinna
> >
>
>
> You dismissed the value of having IPsec enforce static packet
> filtering firewall rules on traffic, but I don't consider your
> position on this to be representative of the WG's consensus. There
> were a number of rebuttals of your position from multiple, regular
> contributors to the list to suggest that your position was in the
> minority.
>
> So, my question still stands. if you're uncertain about the features
> in question, look at 2401, especially sections 4.4 and 5.
>
> Steve

As I saw it, a minority of implementors who build high end security
gateways, complained about not just the value of minimal access control in
IPsec, but also about the inefficiency of doing this in IPsec and having
to do it in the firewall feature processing anyway (because firewall
provides extensive and true access control and intrution detection).

There was also a concern from a sizable minority, that the majority is
imposing inefficiencies that they are not concerned about, on everyone.
Due to the layer violations that IPsec does when doing limited 'static
packet filtering', by having to look into the transport (TCP/UDP) headers,
this limited benefit introduces a serious design hurdle for modularity and
scalability.

There was a request from the sizable minority to the majority that, all
inefficiencies, and layer violations be revisited, and possibly make these
implementation details not mandatory by the standards.

    chinna
 __
chinna narasimha reddy pellacuru
"Moral Clarity: Def. When you do it, it is moral relativism, when I do it,
it is the repudiation of moral equivalence."

Follow-Ups:
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: Henry Spencer <henry@spsystems.net>
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: Stephen Kent <kent@bbn.com>
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: Paul Koning <pkoning@equallogic.com>

References:
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: SOI QUESTIONS: 2.3 Authentication styles
Next by Date: Re: SOI QUESTIONS: 2.3 Authentication styles
Prev by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Next by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Index(es):
- Date
- Thread