[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 RH (was Re: SPD issues)

To: IP Security List <ipsec@lists.tislabs.com>
Subject: Re: IPv6 RH (was Re: SPD issues)
From: Henry Spencer <henry@spsystems.net>
Date: Mon, 27 Oct 2003 12:02:25 -0500 (EST)
In-Reply-To: <200310271635.h9RGZaS4008539@thunk.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com

On Mon, 27 Oct 2003, Bill Sommerfeld wrote:
> > I think this is a bad idea. the local admin should use a firewall
> > to restrict traffic with routing headers if needed. he shouldnt
> > use the SPD to do this...
> 
> Any code which consults the SPD to do policy enforcement can be
> thought of as a "firewall".

The SPD *is* a firewall.  One serious flaw of RFC 2401 was that it did not
make this clear.  The 2401bis draft does (section 2.1, second paragraph). 

                                                          Henry Spencer
                                                       henry@spsystems.net

Follow-Ups:
- Re: IPv6 RH (was Re: SPD issues)
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>

References:
- Re: IPv6 RH (was Re: SPD issues)
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

Prev by Date: Re: IPv6 RH (was Re: SPD issues)
Next by Date: Re: IPv6 RH (was Re: SPD issues)
Prev by thread: Re: IPv6 RH (was Re: SPD issues)
Next by thread: Re: IPv6 RH (was Re: SPD issues)
Index(es):
- Date
- Thread