[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewall "uniformity" issue

To: Erik Nordmark <erik.nordmark@sun.com>
Subject: Re: Firewall "uniformity" issue
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Thu, 28 Apr 2005 20:47:06 +0200
Cc: shim6 <shim6@psg.com>
In-reply-to: <42712C82.3080606@sun.com>
References: <42711F1B.1010805@sun.com> <DD5BA5F9-3BA8-4CBD-80F9-7ABD5DA27895@muada.com> <42712C82.3080606@sun.com>

On 28-apr-2005, at 20:33, Erik Nordmark wrote:

If we assume we always have deferred shim context establishment, then the timeliness of the shim setup isn't critical, hence it makes sense to avoid penalizing the data traffic (with firewall- related loss, or differently protected by a SG). With this assumption I think it makes sense to not try to put the two in the same packet.

I agree that in most cases we wouldn't want to do this, but I also think being able to have the shim setup in transport/data carying packets will come in handy in the future. One very important aspect of having the shim setup in the initial packet is that the initial packet is the only one an attacker with sniffing capability can't guess about.

References:
- Firewall "uniformity" issue
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: Firewall "uniformity" issue
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: Firewall "uniformity" issue
  - From: Erik Nordmark <erik.nordmark@sun.com>

Prev by Date: Re: Firewall "uniformity" issue
Next by Date: Re: Flow label - the problem
Previous by thread: Re: Firewall "uniformity" issue
Next by thread: Re: Firewall "uniformity" issue
Index(es):
- Date
- Thread