[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.3 Authentication styles

To: Henry Spencer <henry@spsystems.net>
Subject: Re: SOI QUESTIONS: 2.3 Authentication styles
From: Stephen Kent <kent@bbn.com>
Date: Thu, 20 Jun 2002 19:47:15 -0400
Cc: IP Security List <ipsec@lists.tislabs.com>
In-Reply-To: <Pine.BSI.3.91.1020620140137.7598B-100000@spsystems.net>
References: <Pine.BSI.3.91.1020620140137.7598B-100000@spsystems.net>
Sender: owner-ipsec@lists.tislabs.com

At 2:06 PM -0400 6/20/02, Henry Spencer wrote:
>On Thu, 20 Jun 2002, Chinna N.R. Pellacuru wrote:
>>  I really don't understand the reasoning behing IPsec trying to mandate a
>>  minimal useless 'static packet filtering'. The problem of access control
>>  and intrusion detection, as far as I can see belongs in the firewall
>>  functionality.
>
>IPsec, being about IP *security*, not just IP encryption and authentication,
>includes a specification for minimal firewall functionality, since that is
>a necessary part of secure IP.  Implementations are, of course, free to
>provide more sophisticated firewall mechanisms, and to implement the IPsec-
>mandated functionality using that more sophisticated mechanism.
>
>(I have long thought it a mistake that RFC 2401 does not explicitly say
>something like the previous paragraph.  It's important, and people often
>overlook it or misunderstand it.)

Henry,

I will put words to this effect in 2401 bis, to help clarify this 
matter. Mind if I use yours, with an acknowledgement?

Steve

Follow-Ups:
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: Henry Spencer <henry@spsystems.net>

References:
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: SOI QUESTIONS: 2.5 Plausible denaibility
Next by Date: Re: SOI QUESTIONS: 2.3 Authentication styles
Prev by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Next by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Index(es):
- Date
- Thread