[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.3 Authentication styles



On Thu, 20 Jun 2002, Chinna N.R. Pellacuru wrote:
> I really don't understand the reasoning behing IPsec trying to mandate a
> minimal useless 'static packet filtering'. The problem of access control
> and intrusion detection, as far as I can see belongs in the firewall
> functionality.

IPsec, being about IP *security*, not just IP encryption and authentication,
includes a specification for minimal firewall functionality, since that is
a necessary part of secure IP.  Implementations are, of course, free to
provide more sophisticated firewall mechanisms, and to implement the IPsec-
mandated functionality using that more sophisticated mechanism.

(I have long thought it a mistake that RFC 2401 does not explicitly say
something like the previous paragraph.  It's important, and people often
overlook it or misunderstand it.)

                                                          Henry Spencer
                                                       henry@spsystems.net