[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI QUESTIONS: 2.3 Authentication styles
At 9:06 AM -0700 6/20/02, Chinna N.R. Pellacuru wrote:
>On Thu, 20 Jun 2002, Paul Koning wrote:
>
>> Excerpt of message (sent 19 June 2002) by Chinna N.R. Pellacuru:
>> > As I saw it, a minority of implementors who build high end security
>> > gateways, complained about not just the value of minimal access control in
>> > IPsec, but also about the inefficiency of doing this in IPsec and having
>> > to do it in the firewall feature processing anyway (because firewall
>> > provides extensive and true access control and intrution detection).
>>
>> As one who worked on a product that arguably fits in this category,
>> I'd have to disagree. There certainly is overlap between the
>> classification processes done in IPsec, in firewalls, in traffic
>> managers, and so on. That doesn't mean things have to be
>> inefficient. Instead, it means you have the opportunity to provide
>> all three functions through a single classification step. That
>> requires more care in implementation, but it certainly is possible.
>>
>> paul
>>
>
>Because we do the packet classification once, we test the result in
>multiple places and that is not inefficient. Someone has to sync the
>policies of all these modules so that the policies of all the modules play
>nicely with every other module that does the exact same functionality. I
>think these assumptions are lacking practical experience and large scale
>deployment headaches.
>
> chinna
Your response sounds like a characterization of problems you face due
to your implementation choices. Paul's response suggests that other
implementation choices do not suffer as a result, and may benefit.
I rest my case.
Steve