[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.3 Authentication styles

To: Stephen Kent <kent@bbn.com>
Subject: Re: SOI QUESTIONS: 2.3 Authentication styles
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Thu, 20 Jun 2002 18:48:20 -0700 (PDT)
cc: ipsec@lists.tislabs.com
In-Reply-To: <p05100304b93817941ece@[12.159.173.142]>
Sender: owner-ipsec@lists.tislabs.com

It is not a problem it is an inefficiency.

    chinna

On Thu, 20 Jun 2002, Stephen Kent wrote:

> At 9:06 AM -0700 6/20/02, Chinna N.R. Pellacuru wrote:
> >On Thu, 20 Jun 2002, Paul Koning wrote:
> >
> >>  Excerpt of message (sent 19 June 2002) by Chinna N.R. Pellacuru:
> >>  > As I saw it, a minority of implementors who build high end security
> >>  > gateways, complained about not just the value of minimal access control in
> >>  > IPsec, but also about the inefficiency of doing this in IPsec and having
> >>  > to do it in the firewall feature processing anyway (because firewall
> >>  > provides extensive and true access control and intrution detection).
> >>
> >>  As one who worked on a product that arguably fits in this category,
> >>  I'd have to disagree.  There certainly is overlap between the
> >>  classification processes done in IPsec, in firewalls, in traffic
> >>  managers, and so on.  That doesn't mean things have to be
> >>  inefficient.  Instead, it means you have the opportunity to provide
> >>  all three functions through a single classification step.  That
> >>  requires more care in implementation, but it certainly is possible.
> >>
> >>	 paul
> >>
> >
> >Because we do the packet classification once, we test the result in
> >multiple places and that is not inefficient. Someone has to sync the
> >policies of all these modules so that the policies of all the modules play
> >nicely with every other module that does the exact same functionality. I
> >think these assumptions are lacking practical experience and large scale
> >deployment headaches.
> >
> >     chinna
>
> Your response sounds like a characterization of problems you face due
> to your implementation choices. Paul's response suggests that other
> implementation choices do not suffer as a result, and may benefit.
>
> I rest my case.
>
> Steve
>
>

__
chinna narasimha reddy pellacuru
"Moral Clarity: Def. When you do it, it is moral relativism, when I do it,
it is the repudiation of moral equivalence."

Follow-Ups:
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: Henry Spencer <henry@spsystems.net>

References:
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: SOI QUESTIONS: 2.3 Authentication styles
Next by Date: Re: SOI QUESTIONS: 2.3 Authentication styles
Prev by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Next by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Index(es):
- Date
- Thread