Re: ipsec in tunnel mode and dynamic routing

[Joe Touch <touch@ISI.EDU>]

Henry Spencer wrote:

> On Mon, 19 Nov 2001, Joe Touch wrote:
> 
>>FWIW - this is yet another place where I'd prefer to let firewall rules 
>>do their job, and IPsec to its.
>>
> 
> I think you're missing an important point:  the "sec" in "IPsec" stands
> for "security", and that encompasses more than just encryption and
> authentication.  In particular, packet access controls are *inherently*
> part of IP security; they are not a separate issue.  IPsec's SPD *is* a
> firewall, and it is a necessary part of IPsec. 


IPsec already requires that a packet, once decrypted or authenticated, 
passes _with_ that information thoughout the rest of the IP processing. 
The packet is allowed to leave IPsec and re-enter.

There is no reason to incorporate redundant functions in IPsec to make 
it monolithic.


>>The "full glory" (IMO) here lies in modularization rather than a stovepipe.
> 
> Modularization is all very well for *mechanisms*,


Actually, it is intended for implementations as well.

> but there has to be
> unified *policy* control of the mechanisms if real security is to result. 


Which is why packets must carry the security info with them.

> There is nothing that says you can't implement the SPD using existing
> firewall machinery, but it has to be done somehow.  Leaving the firewall
> in ignorance of what's going on with IPsec -- either by separating the two
> completely, or by losing information when IPsec throws a packet over the
> fence to the firewall -- does not work. 

Ahh- disconnnect on my part with the term 'firewall' - I meant

'firewall rules', as per ipfw. The entirety of what is considered
a firewall includes both ipfw and IPsec, in that case.

Joe