Re: Traffic selectors, fragments, ICMP messages and security policy problems

[Stephen Kent <kent@bbn.com>]

I'll mention my example, again, as to why port fields are 
appropriate, and add a n ote on performance:

	- by restricting access via an SA to a well known set of 
ports, relative to a specific address or set of addresses, one can 
reduce opportunities for attacks against the hosts or servers. think 
of this as a way to close off access to inappropriate ports, and to 
prevent malicious software that may have taken over a machine from 
being able to use that machine to launch attacks against other 
machines, at least for some classes of attacks. the worm that 
attacked IIS and spear via e-mail from web servers was the example I 
cited earlier.

As for high speed, I concur with Mark.  For my DoD clients, the 
intent is to be able to take advantage of these access control 
facilities over a wide performance range, not to have to tradeoff 
access control features vs. interface speeds.

Steve