[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

2401bis Issue #72 -- Explain why ALL IP packets must be checked

To: ipsec mailingList <ipsec@lists.tislabs.com>
Subject: 2401bis Issue #72 -- Explain why ALL IP packets must be checked
From: Karen Seo <kseo@bbn.com>
Date: Fri, 19 Sep 2003 19:42:17 -0400
Cc: byfraser@cisco.com, tytso@mit.edu, "Angelos D. Keromytis" <angelos@cs.columbia.edu>, kivinen@ssh.fi, kseo@bbn.com
Sender: owner-ipsec@lists.tislabs.com

Folks,

Here's a description and proposed approach for:

IPsec Issue #:	72

Title:		Explain why ALL IP packets must be checked

Description:
============
The question was raised as to why IPsec mandates (static) packet 
filtering. Henry Spencer and others suggested that we be more 
explicit about the security functionality of IPsec.

Proposed approach:
==================
Add text to 2401bis along the lines of...

"IPsec provides a range of security services to help secure 
communication for the computers and networks it protects. In addition 
to IP layer confidentiality and integrity, receiver-optional 
anti-replay and data origin authentication (via SA key management), 
IPsec also provides access control for all traffic traversing it. 
Thus IPsec includes a specification for minimal firewall 
functionality, since that is a necessary part of secure IP. 
Implementations are free to provide more sophisticated firewall 
mechanisms, and to implement the IPsec-mandated functionality using 
those more sophisticated mechanisms."

Thank you,
Karen

Prev by Date: Re: 2401bis Issue #67 -- IPsec management traffic
Next by Date: 2401bis Issue #74 -- Inbound SA lookup -- multicast & unicast
Prev by thread: Crash / Reboot / Loss of State
Next by thread: 2401bis Issue #74 -- Inbound SA lookup -- multicast & unicast
Index(es):
- Date
- Thread