RE: Should CPE allow all IPsec through? Was: Re: CPEs

["Bound, Jim" <Jim.Bound@hp.com>]

ack I concur with you on the issue you articulate well below.
thanks
/jim

> -----Original Message-----
> From: Iljitsch van Beijnum [mailto:iljitsch@muada.com]
> Sent: Tuesday, January 08, 2008 12:05 PM
> To: Bound, Jim
> Cc: IPv6 Operations
> Subject: Should CPE allow all IPsec through? Was: Re: CPEs
>
> [Response to other issues will follow]
>
> On 8 jan 2008, at 17:44, Bound, Jim wrote:
>
> > One filter I believe will become required will be
> end-to-end IPsec and
> > it is just let through, but for corporate and government
> markets there
> > could become decrypt capability supporting the media line rates
> > without performance degradation, and I believe we will see
> this form
> > of DPI in the home CPE too.  The other data point I see
> happening is
> > as peer-2-peer moves further users will want the option to
> encrypt at
> > their device to an application function and other devices, thus the
> > filter is if IPsec and secure (big question for
> > sure) then let it pass. Ergo no filters at all for this case.  The
> > firewall becomes a security manager with far more intelligence than
> > today.
>
> There has been some talk about letting all IPsec through
> regardless of statefulness, but I don't remember a clear conclusion.
>
> However, this does seem to be an attractive option in the
> sense that it allows for a way to have peer-to-peer
> communication without giving up security. It would probably
> still need some selling to some security-conscious groups,
> but a good argument there would be that there is no
> reasonable way that an attacker could get anywhere without
> first negotiating a security association, but if we don't
> implement this, that simply means applications will use less
> secure peer-to-peer mechanisms.
>