[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Should CPE allow all IPsec through? Was: Re: CPEs
[Response to other issues will follow]
On 8 jan 2008, at 17:44, Bound, Jim wrote:
One filter I believe will become required will be end-to-end IPsec
and it is just let through, but for corporate and government markets
there could become decrypt capability supporting the media line
rates without performance degradation, and I believe we will see
this form of DPI in the home CPE too. The other data point I see
happening is as peer-2-peer moves further users will want the option
to encrypt at their device to an application function and other
devices, thus the filter is if IPsec and secure (big question for
sure) then let it pass. Ergo no filters at all for this case. The
firewall becomes a security manager with far more intelligence than
today.
There has been some talk about letting all IPsec through regardless of
statefulness, but I don't remember a clear conclusion.
However, this does seem to be an attractive option in the sense that
it allows for a way to have peer-to-peer communication without giving
up security. It would probably still need some selling to some
security-conscious groups, but a good argument there would be that
there is no reasonable way that an attacker could get anywhere without
first negotiating a security association, but if we don't implement
this, that simply means applications will use less secure peer-to-peer
mechanisms.
- References:
- CPEs
- From: Iljitsch van Beijnum <iljitsch@muada.com>
- RE: CPEs
- From: "Bound, Jim" <Jim.Bound@hp.com>