[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.3 Authentication styles

To: Stephen Kent <kent@bbn.com>
Subject: Re: SOI QUESTIONS: 2.3 Authentication styles
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Thu, 20 Jun 2002 18:49:10 -0700 (PDT)
cc: ipsec@lists.tislabs.com
In-Reply-To: <p05100309b9381ac1ddfd@[12.159.173.142]>
Sender: owner-ipsec@lists.tislabs.com

minimal 'static packet filtering' in IPsec is useless.

    chinna

On Thu, 20 Jun 2002, Stephen Kent wrote:

> At 10:41 AM -0700 6/20/02, Chinna N.R. Pellacuru wrote:
> >I really don't understand the reasoning behing IPsec trying to mandate a
> >minimal useless 'static packet filtering'. The problem of access control
> >and intrusion detection, as far as I can see belongs in the firewall
> >functionality.
>
> ID is not an aspect of IPsec, so the above statement is either
> confused, or confusing, your choice. Also, as I noted, ID is not
> intrinsically a firewall function. For example, people often want a
> network-based ID capability that focuses on traffic inside the
> enterprise network, to catch attacks launched from machines inside
> the firewall, as well as attacks via the firewall path.
>
> >The philosophy that if I am not having a problem, in my implementation,
> >and if you are having a problem in your implementation and deployment,
> >then it is probably an implemetation defect, rather than a larger problem,
> >is a recurring theme in this WG. I guess the assumption is that all IPsec
> >implemetations are being deployed in exactly the same way that your
> >implementation is being deployed/not deployed.
>
> what I think you have heard is that other folks are NOT having a
> problem with putting access control features in their IPsec products,
> even when those products have other firewall functionality, and that
> this suggests that maybe the fault lies in YOUR implementation (to
> paraphrase Shakespeare.)
>
> >We have seen it a lot for a very very long time WRT IKE. Now for some
> >reason the IKE fort was brought down (kink?), and we are actually
> >discussing a successor to IKE after a long period of denial, and
> >accusations and flaming.
> >
> >I hope the RFC 2401 fort also comes down sometime in the near future, and
> >there is some acknowlegement to practical problems and deployment
> >headaches.
>
> Don't hold your breath waiting for the access control features to be
> pulled from 2401.
>
> No, on second thought, please do hold YOUR breath.
>
> Steve
>

__
chinna narasimha reddy pellacuru
"Moral Clarity: Def. When you do it, it is moral relativism, when I do it,
it is the repudiation of moral equivalence."

Follow-Ups:
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

References:
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: SOI QUESTIONS: 2.3 Authentication styles
Next by Date: Re: SOI QUESTIONS: 2.3 Authentication styles
Prev by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Next by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Index(es):
- Date
- Thread