Re: SOI QUESTIONS: 2.3 Authentication styles

[Stephen Kent <kent@bbn.com>]

At 10:41 AM -0700 6/20/02, Chinna N.R. Pellacuru wrote:
>I really don't understand the reasoning behing IPsec trying to mandate a
>minimal useless 'static packet filtering'. The problem of access control
>and intrusion detection, as far as I can see belongs in the firewall
>functionality.

ID is not an aspect of IPsec, so the above statement is either 
confused, or confusing, your choice. Also, as I noted, ID is not 
intrinsically a firewall function. For example, people often want a 
network-based ID capability that focuses on traffic inside the 
enterprise network, to catch attacks launched from machines inside 
the firewall, as well as attacks via the firewall path.

>The philosophy that if I am not having a problem, in my implementation,
>and if you are having a problem in your implementation and deployment,
>then it is probably an implemetation defect, rather than a larger problem,
>is a recurring theme in this WG. I guess the assumption is that all IPsec
>implemetations are being deployed in exactly the same way that your
>implementation is being deployed/not deployed.

what I think you have heard is that other folks are NOT having a 
problem with putting access control features in their IPsec products, 
even when those products have other firewall functionality, and that 
this suggests that maybe the fault lies in YOUR implementation (to 
paraphrase Shakespeare.)

>We have seen it a lot for a very very long time WRT IKE. Now for some
>reason the IKE fort was brought down (kink?), and we are actually
>discussing a successor to IKE after a long period of denial, and
>accusations and flaming.
>
>I hope the RFC 2401 fort also comes down sometime in the near future, and
>there is some acknowlegement to practical problems and deployment
>headaches.

Don't hold your breath waiting for the access control features to be 
pulled from 2401.

No, on second thought, please do hold YOUR breath.

Steve