[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
2401bis Issue #72 -- Explain why ALL IP packets must be checked
Folks,
Here's a description and proposed approach for:
IPsec Issue #: 72
Title: Explain why ALL IP packets must be checked
Description:
============
The question was raised as to why IPsec mandates (static) packet
filtering. Henry Spencer and others suggested that we be more
explicit about the security functionality of IPsec.
Proposed approach:
==================
Add text to 2401bis along the lines of...
"IPsec provides a range of security services to help secure
communication for the computers and networks it protects. In addition
to IP layer confidentiality and integrity, receiver-optional
anti-replay and data origin authentication (via SA key management),
IPsec also provides access control for all traffic traversing it.
Thus IPsec includes a specification for minimal firewall
functionality, since that is a necessary part of secure IP.
Implementations are free to provide more sophisticated firewall
mechanisms, and to implement the IPsec-mandated functionality using
those more sophisticated mechanisms."
Thank you,
Karen