[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Should CPE allow all IPsec through? Was: Re: CPEs



On Jan 8, 2008, at 12:00, Dan Wing wrote:

Or that those less secure peer-to-peer applications will run over UDP/500 and protocol 50.

Yes, but I don't think that's where the resistance to the idea of allow udp/500 and proto/50 to pass from exterior to interior by default originates. I think the resistance originates from the very simple (and stupid) expectation that the default rules for all firewalls is to disallow unsolicited traffic from the exterior to reach interior nodes. Making an exception for udp/500 and proto/50 involves *thinking* about why those packets are "safe" and not any others. Thinking is hard and exceptions are complicated, making everything difficult to understand.

That said, I will note that the current CPE simple security I-D recommends that unsolicited udp/500 and proto/50 be allowed to pass from the exterior to interior nodes by default. (The specific recommendations are R16 and R17.)

Is there a consensus in the working group that these recommendations should be reversed?


--
james woodyatt <jhw@apple.com>
member of technical staff, communications engineering