[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CONSENSUS TEST: Fragmentation handling
In your previous mail you wrote:
> => anything which tries to look at inside my packets violates my
> confidentiality, and I don't like this at all from something which
> is supposed to protect it. IMHO a router should not look at something
> which is not in the IP header, or do you argue we should only use
> IPsec end-to-end? (I am not against the idea but this is a bit drastic).
We're talking about behavior in an IPsec implementation which enforces
policy based on port numbers. On the cleartext side, it's *already*
looking into the packet well past the ip header..
=> I have nothing against an IPsec implementation which enforces policy
based on port numbers and when a security gateway is colocated with
a stateful firewall this is the thing to do, so this has to be specified.
My concern is as a side effect of this specification it seems that
to enforce policy based on port numbers is RECOMMENDED. I believe the
issue is in fact in the wording...
Thanks
Francis.Dupont@enst-bretagne.fr