Manish,
Hi Stephen,
Thanks for your inputs vis-a-vis 4301/2/3. I concur that IPSec is
not just about encryption but don't quite buy into what somebody
spelled out during the meeting as 'IPSec is an access control
mechanism that also provides other security services'; IMO, strict
access control is more a firewall functionality. RFC 4301 spells out
the access control rationale as
"IPsec includes a specification for minimal firewall functionality,
since that is an essential aspect of access control at the IP layer...
The IPsec firewall function makes use of the
cryptographically-enforced authentication and integrity provided for
all IPsec traffic to offer better access control than could be
obtained through use of a firewall (one not privy to IPsec internal
parameters) plus separate cryptographic protection."
You cited one of several sentences that mention access control in 4301,
in Section 2.1. Other quotes, very close to the one you chose, make a
stronger case for access control as an important element of IPsec:
The set of
security services offered includes access control, connectionless
integrity, data origin authentication, detection and rejection of
replays (a form of partial sequence integrity), confidentiality (via
encryption), and limited traffic flow confidentiality.
and
The IPsec firewall function makes use of the
cryptographically-enforced authentication and integrity provided for
all IPsec traffic to offer better access control than could be
obtained through use of a firewall (one not privy to IPsec internal
parameters) plus separate cryptographic protection.
This second quote notes that a separate firewall, operating at the
Internet layer, is
NOT as secure as the one integrated into IPsec.
I know that we might have ruffled a few feathers wrt making the SPD
relatively trivial but let's get down to some details as far as the
comparison goes. The first ADVPN proposal does talk about the shortcut
suggester possibly including traffic selectors in the shortcut
exchange. While this seems to give the notion of the ability to
provide SA granularity, the source of such information is a third
party (even though both peers have an active connection with this
third party) and doesn't quite stand up to the very reason of
including access control in IPSec (The IPsec firewall function makes
use of the cryptographically-enforced authentication and integrity
provided for all IPsec traffic to offer better access control than
could be obtained through use of a firewall (one not privy to IPsec
internal parameters) plus separate cryptographic protection.) - this
is a case of the information not even privy to the same device, leave
alone the same layer in the same device.
OK, this paragraph shows that you do understand the importance of the
internal firewall in an IPsec implementation. I'm not asserting that
ADVPN is better or worse in this regard. I just happened to be alerted
to the issue by the DMVPN message from Mike. I'm equally disappointed
with any proposal that essentially eliminates the access control feature
;-) .
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec