[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI QUESTIONS: 2.3 Authentication styles
On Thu, 20 Jun 2002, Chinna N.R. Pellacuru wrote:
> I really don't understand the reasoning behing IPsec trying to mandate a
> minimal useless 'static packet filtering'. The problem of access control
> and intrusion detection, as far as I can see belongs in the firewall
> functionality.
IPsec, being about IP *security*, not just IP encryption and authentication,
includes a specification for minimal firewall functionality, since that is
a necessary part of secure IP. Implementations are, of course, free to
provide more sophisticated firewall mechanisms, and to implement the IPsec-
mandated functionality using that more sophisticated mechanism.
(I have long thought it a mistake that RFC 2401 does not explicitly say
something like the previous paragraph. It's important, and people often
overlook it or misunderstand it.)
Henry Spencer
henry@spsystems.net