[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Traffic Selectors (was SA fragments)

To: "Bora Akyol" <bora@cisco.com>
Subject: RE: Traffic Selectors (was SA fragments)
From: Stephen Kent <kent@bbn.com>
Date: Mon, 23 Feb 2004 10:31:48 -0500
Cc: <ipsec@lists.tislabs.com>
In-reply-to: <006101c3f812$487542d0$060a0a0a@amer.cisco.com>
References: <006101c3f812$487542d0$060a0a0a@amer.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

At 16:33 -0800 2/20/04, Bora Akyol wrote:
>  "I think there is agreement that port based selectors do not
>>  make sense for tunnel mode." There is no rational basis for this
>>  assertion, based on the message exchanges on the list. In my opinion,
>>  anyone who sends a message of this sort is way off base.
>>
>
>Steve, please give a real world deployment example of how and why
>the port selectors are used in tunnel mode?
>
>Why does a network administrator define a security policy
>that secures one port in tunnel mode differently than another. Then
>how is this administrator sure that some malicious user
>is not circumventing his policy and intentionally bypassing
>the port based selectors.

wrong question, again. port-level access controls can be used to 
allow access to some set of services at an address, but not others. 
for example, one could allow access to HTTP on a web server, but not 
SMTP. if this control were applied symmetrically, then the worm that 
compromised IIS systems would not have been able to spread itself to 
other sites via e-mail from compromised servers.  is that a good 
enough example?

>What is the most common application of tunnel mode on the Internet
>today?
>
>VPNs either site-to-site or remote-to-security gateway are
>99% of the IPSEC deployments today. Transport mode is used
>pretty much to secure GRE-over-IPSEC and avoid double header
>penalties. Other than, it is all tunnels all the time
>and none of these actually use port selectors.

we don't develop standards to accommodate only what people do today. 
if we did, then TCP would not be usable with HTTP, since when we 
developed TCP) the primary apps using it were Telnet, e-mail, and FTP.

>The amount of people that participate on this list actively
>and exchange messages, is a minute fraction of a percent
>when compared to people that have actually deployed IPSEC.

and the number of people who fly on planes or pilot them is much 
greater than the number who design planes. your point is ...?

	<SNIP>

>And finally,
>there was no reason to discredit me or insult my intelligence either
>but you chose to do this anyway. You could have just argued your
>case on the technical merits. Everyone knows who you are, not many
>people
>know me unless they have read RFC3443 or were in the MPLS WG. IMHO,
>this is no way conduct a conversation on any WG in the IETF.

I didn't question your intelligence. I pointed out how I perform 
triage on the vast quantity of messages with which I have to deal. I 
don't like wasting time responding to every message someone sends 
recommending a change to a spec. If the author of a message is 
someone with a track record of significant contributions, then I 
always pay attention, even if that person has not sent any traffic 
for a while. if the message is well thought out and polite, even if 
not from someone I know, it too will probably merit a polite reply. 
Your  message failed both of these tests. In retrospect it might have 
been better to just ignore it.

Steve

References:
- RE: Traffic Selectors (was SA fragments)
  - From: "Bora Akyol" <bora@cisco.com>

Prev by Date: Re: Fwd: Certicom IP Rights
Next by Date: RE: Traffic Selectors (was SA fragments)
Previous by thread: RE: Traffic Selectors (was SA fragments)
Next by thread: RE: SAs that carry fragments Was: Re: Some IKEv2 issues
Index(es):
- Date
- Thread