[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Should CPE allow all IPsec through? Was: Re: CPEs
On Jan 8, 2008, at 12:00, Dan Wing wrote:
Or that those less secure peer-to-peer applications will run over
UDP/500 and protocol 50.
Yes, but I don't think that's where the resistance to the idea of
allow udp/500 and proto/50 to pass from exterior to interior by
default originates. I think the resistance originates from the very
simple (and stupid) expectation that the default rules for all
firewalls is to disallow unsolicited traffic from the exterior to
reach interior nodes. Making an exception for udp/500 and proto/50
involves *thinking* about why those packets are "safe" and not any
others. Thinking is hard and exceptions are complicated, making
everything difficult to understand.
That said, I will note that the current CPE simple security I-D
recommends that unsolicited udp/500 and proto/50 be allowed to pass
from the exterior to interior nodes by default. (The specific
recommendations are R16 and R17.)
Is there a consensus in the working group that these recommendations
should be reversed?
--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering