[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPD issues

To: "Mike Taylor" <mtaylor.eng@sbcglobal.net>
Subject: Re: SPD issues
From: guttman@mitre.org (Joshua D. Guttman)
Date: 21 Oct 2003 10:40:39 -0400
Cc: "Joe Touch" <touch@ISI.EDU>, "Mark Duffy" <mduffy@quarrytech.com>, "Stephen Kent" <kent@bbn.com>, <ipsec@lists.tislabs.com>, guttman@mitre.org (Joshua D. Guttman)
In-Reply-To: <FNEIKFAMPJLHLOAHOHBIMEHBCEAA.mtaylor.eng@sbcglobal.net>
References: <FNEIKFAMPJLHLOAHOHBIMEHBCEAA.mtaylor.eng@sbcglobal.net>
Reply-To: guttman@mitre.org (Joshua D. Guttman disp: current)
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3

Mike --

"Mike Taylor" <mtaylor.eng@sbcglobal.net> writes:

>   > Again, it's possible that packets could be sent in the wrong
>   > direction with weaker security than is intended.
>   
>   I see your point in that if I have two different policies for the
>   same source address (the red network) but different destination
>   addresses (maybe one is the public internet and another is for
>   some other subnet in my domain).  Perhaps the latter has weaker
>   security (none at all even) than the former and because routing
>   gets messed up datagrams could go out the wrong interface, perhaps
>   a public one, with no protection at all.

The paper "Rigorous Automated Network Security Management" available
at http://www.ccs.neu.edu/home/guttman seems (to me) to give ways to
ensure that a given IPsec set-up has no problems of this kind.  

        Joshua 

-- 
	Joshua D. Guttman		<guttman@mitre.org>
	MITRE, Mail Stop S119		Office:	+1 781 271 2654
	202 Burlington Rd.		Fax:	+1 781 271 8953
	Bedford, MA 01730-1420 USA	Cell:	+1 781 526 5713

References:
- RE: SPD issues
  - From: "Mike Taylor" <mtaylor.eng@sbcglobal.net>

Prev by Date: Re: SPD issues
Next by Date: Last Call: 'UDP Encapsulation of IPsec Packets' to Proposed Standard
Prev by thread: RE: SPD issues
Next by thread: Re: SPD issues
Index(es):
- Date
- Thread