[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SOI QUESTIONS: 2.3 Authentication styles

To: Stephen Kent <kent@bbn.com>
Subject: Re: SOI QUESTIONS: 2.3 Authentication styles
From: "Chinna N.R. Pellacuru" <pcn@cisco.com>
Date: Thu, 20 Jun 2002 19:06:04 -0700 (PDT)
cc: ipsec@lists.tislabs.com
In-Reply-To: <Pine.GSO.4.44.0206201848500.25615-100000@cypher.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Unless that is your standard of security!

    chinna

On Thu, 20 Jun 2002, Chinna N.R. Pellacuru wrote:

> minimal 'static packet filtering' in IPsec is useless.
>
>     chinna
>
> On Thu, 20 Jun 2002, Stephen Kent wrote:
>
> > At 10:41 AM -0700 6/20/02, Chinna N.R. Pellacuru wrote:
> > >I really don't understand the reasoning behing IPsec trying to mandate a
> > >minimal useless 'static packet filtering'. The problem of access control
> > >and intrusion detection, as far as I can see belongs in the firewall
> > >functionality.
> >
> > ID is not an aspect of IPsec, so the above statement is either
> > confused, or confusing, your choice. Also, as I noted, ID is not
> > intrinsically a firewall function. For example, people often want a
> > network-based ID capability that focuses on traffic inside the
> > enterprise network, to catch attacks launched from machines inside
> > the firewall, as well as attacks via the firewall path.
> >
> > >The philosophy that if I am not having a problem, in my implementation,
> > >and if you are having a problem in your implementation and deployment,
> > >then it is probably an implemetation defect, rather than a larger problem,
> > >is a recurring theme in this WG. I guess the assumption is that all IPsec
> > >implemetations are being deployed in exactly the same way that your
> > >implementation is being deployed/not deployed.
> >
> > what I think you have heard is that other folks are NOT having a
> > problem with putting access control features in their IPsec products,
> > even when those products have other firewall functionality, and that
> > this suggests that maybe the fault lies in YOUR implementation (to
> > paraphrase Shakespeare.)
> >
> > >We have seen it a lot for a very very long time WRT IKE. Now for some
> > >reason the IKE fort was brought down (kink?), and we are actually
> > >discussing a successor to IKE after a long period of denial, and
> > >accusations and flaming.
> > >
> > >I hope the RFC 2401 fort also comes down sometime in the near future, and
> > >there is some acknowlegement to practical problems and deployment
> > >headaches.
> >
> > Don't hold your breath waiting for the access control features to be
> > pulled from 2401.
> >
> > No, on second thought, please do hold YOUR breath.
> >
> > Steve
> >
>
> __
> chinna narasimha reddy pellacuru
> "Moral Clarity: Def. When you do it, it is moral relativism, when I do it,
> it is the repudiation of moral equivalence."
>
>

__
chinna narasimha reddy pellacuru
"Moral Clarity: Def. When you do it, it is moral relativism, when I do it,
it is the repudiation of moral equivalence."

Follow-Ups:
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: SOI QUESTIONS: 2.3 Authentication styles
  - From: "Chinna N.R. Pellacuru" <pcn@cisco.com>

Prev by Date: Re: SOI QUESTIONS: 2.3 Authentication styles
Next by Date: Re: SOI QUESTIONS: 2.3 Authentication styles
Prev by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Next by thread: Re: SOI QUESTIONS: 2.3 Authentication styles
Index(es):
- Date
- Thread