[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
The node that accepts the IKE phase 1 presumably has some acl or
credential requirement to control access - or could have. I thought
that this was the idea behind the original recommendation.
On 23/08/2009, at 2:15 AM, Mark Smith wrote:
On Sat, 22 Aug 2009 22:33:37 -0700
james woodyatt <firstname.lastname@example.org> wrote:
On Aug 22, 2009, at 21:58, Truman Boyes wrote:
This is quite confusing from an implementation perspective; security
is not explicitly increased by prohibiting non-encrypted tunnels but
allowing encrypted (ESP or AH) traffic flows. Wouldn't this simply
serve as a driver to make all tunnel encapsulations use ESP/AH?
Yes. I'm not sure I can explain how this is supposed to increase
security, but if consensus in the working group emerges around these
recommendations and the draft can proceed through working group last
call, then that's good enough for me.
Maybe I haven't fully understood the question, however isn't the
as simple as the benefits of IPsec over cleartext? Even the
better-than-nothing-mode of IPsec, while vulnerable to
man-in-the-middle attacks during session setup, has a much smaller
window of opportunity for exploitation over clear text traffic.