[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPv6 RH (was Re: SPD issues)

To: Henry Spencer <henry@spsystems.net>
Subject: Re: IPv6 RH (was Re: SPD issues)
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Tue, 28 Oct 2003 10:48:56 +0100
cc: IP Security List <ipsec@lists.tislabs.com>
In-reply-to: Your message of Mon, 27 Oct 2003 12:02:25 EST. <Pine.BSI.3.91.1031027115944.17889B-100000@spsystems.net>
Sender: owner-ipsec@lists.tislabs.com

 In your previous mail you wrote:

   On Mon, 27 Oct 2003, Bill Sommerfeld wrote:
   > > I think this is a bad idea. the local admin should use a firewall
   > > to restrict traffic with routing headers if needed. he shouldnt
   > > use the SPD to do this...
   > 
   > Any code which consults the SPD to do policy enforcement can be
   > thought of as a "firewall".

   The SPD *is* a firewall.  One serious flaw of RFC 2401 was that it did not
   make this clear.  The 2401bis draft does (section 2.1, second paragraph). 

=> we should make a distinction between a filtering mechanism and what is
sold as a firewall: Vijay and me share the opinion that the SPD belongs to
the first category and the RH stuff should be done by a device from
the second one. Of course, on a SG which is also a firewall, the SPD can
be extended in order to include plain firewall capabilities (this is better
than to fight against the firewall part :-).

Regards

Francis.Dupont@enst-bretagne.fr

Follow-Ups:
- Re: IPv6 RH (was Re: SPD issues)
  - From: Bill Sommerfeld <sommerfeld@east.sun.com>

References:
- Re: IPv6 RH (was Re: SPD issues)
  - From: Henry Spencer <henry@spsystems.net>

Prev by Date: Re: IPv6 RH (was Re: SPD issues)
Next by Date: Re: IPv6 RH (was Re: SPD issues)
Prev by thread: Re: IPv6 RH (was Re: SPD issues)
Next by thread: Re: IPv6 RH (was Re: SPD issues)
Index(es):
- Date
- Thread