[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SPD issues
Mike --
"Mike Taylor" <mtaylor.eng@sbcglobal.net> writes:
> > Again, it's possible that packets could be sent in the wrong
> > direction with weaker security than is intended.
>
> I see your point in that if I have two different policies for the
> same source address (the red network) but different destination
> addresses (maybe one is the public internet and another is for
> some other subnet in my domain). Perhaps the latter has weaker
> security (none at all even) than the former and because routing
> gets messed up datagrams could go out the wrong interface, perhaps
> a public one, with no protection at all.
The paper "Rigorous Automated Network Security Management" available
at http://www.ccs.neu.edu/home/guttman seems (to me) to give ways to
ensure that a given IPsec set-up has no problems of this kind.
Joshua
--
Joshua D. Guttman <guttman@mitre.org>
MITRE, Mail Stop S119 Office: +1 781 271 2654
202 Burlington Rd. Fax: +1 781 271 8953
Bedford, MA 01730-1420 USA Cell: +1 781 526 5713