Re: SOI QUESTIONS: 2.3 Authentication styles

["Chinna N.R. Pellacuru" <pcn@cisco.com>]

The issue is not about authentication.

I think it is amply clear to everyone that no one is debating about
authentication here, but where to do the access control, and should IPsec
RFC 2401 mandate a 'static packet filter'.

Nice try to divert the topic as if we are debating authentictaion.

    chinna

On Fri, 21 Jun 2002, Stephen Kent wrote:

> At 8:37 AM -0700 6/21/02, Chinna N.R. Pellacuru wrote:
> >Putting it in your own words...
> >
> >
> >"I agree that proxy firewalls can offer better security than packet
> >filtering firewalls, assuming suitable care is applied to the..."
> >
> >     chinna
> >
>
> yes, my own words, but still not sufficient to support your
> ill-articulated assertions. for example, in deriding simple packet
> filtering vs. other firewall access controls, you have never
> described which other firewall controls you are using as a reference.
> you also started including references to IDS, which is irrelevant to
> the discussion.
>
> do you really not understand the difference between the poor security
> offered by a router filter which makes access control decisions based
> on packet header fields that are from an UNAUTHENTICATED souce and
> which have NO INTEGRITY PROTECTION, vs. making the same checks in an
> IPsec context where we have authenticated the source and provided
> integrity for these fields?
>
> Steve
>

__
chinna narasimha reddy pellacuru
"Moral Clarity: Def. When you do it, it is moral relativism, when I do it,
it is the repudiation of moral equivalence."