[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Should CPE allow all IPsec through? Was: Re: CPEs



[Response to other issues will follow]

On 8 jan 2008, at 17:44, Bound, Jim wrote:

One filter I believe will become required will be end-to-end IPsec and it is just let through, but for corporate and government markets there could become decrypt capability supporting the media line rates without performance degradation, and I believe we will see this form of DPI in the home CPE too. The other data point I see happening is as peer-2-peer moves further users will want the option to encrypt at their device to an application function and other devices, thus the filter is if IPsec and secure (big question for sure) then let it pass. Ergo no filters at all for this case. The firewall becomes a security manager with far more intelligence than today.

There has been some talk about letting all IPsec through regardless of statefulness, but I don't remember a clear conclusion.

However, this does seem to be an attractive option in the sense that it allows for a way to have peer-to-peer communication without giving up security. It would probably still need some selling to some security-conscious groups, but a good argument there would be that there is no reasonable way that an attacker could get anywhere without first negotiating a security association, but if we don't implement this, that simply means applications will use less secure peer-to-peer mechanisms.