[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows

To: james woodyatt <jhw@apple.com>
Subject: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
From: Mark Smith <ipng@69706e6720323030352d30312d31340a.nosense.org>
Date: Sun, 23 Aug 2009 18:45:16 +0930
Cc: IPv6 Operations <v6ops@ops.ietf.org>
In-reply-to: <ADAD4E36-7059-40F5-B964-607F065639FE@apple.com>
References: <805241AA-DC9A-4498-9D54-8D491DD62A0D@apple.com> <2D21500B-207B-43FB-9728-8A7BCEC82CB1@apple.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC80158E120B3E6@il-ex01.ad.checkpoint.com> <47CF65DB-E3E1-4666-B1E9-51A49B372AD5@apple.com> <390865C6-3343-4C31-9767-6E0FCA4481DD@suspicious.org> <ADAD4E36-7059-40F5-B964-607F065639FE@apple.com>

On Sat, 22 Aug 2009 22:33:37 -0700
james woodyatt <jhw@apple.com> wrote:

> On Aug 22, 2009, at 21:58, Truman Boyes wrote:
> >
> > This is quite confusing from an implementation perspective; security  
> > is not explicitly increased by prohibiting non-encrypted tunnels but  
> > allowing encrypted (ESP or AH) traffic flows. Wouldn't this simply  
> > serve as a driver to make all tunnel encapsulations use ESP/AH?
> 
> Yes.  I'm not sure I can explain how this is supposed to increase  
> security, but if consensus in the working group emerges around these  
> recommendations and the draft can proceed through working group last  
> call, then that's good enough for me.
> 

Maybe I haven't fully understood the question, however isn't the answer
as simple as the benefits of IPsec over cleartext? Even the
better-than-nothing-mode of IPsec, while vulnerable to
man-in-the-middle attacks during session setup, has a much smaller
window of opportunity for exploitation over clear text traffic.

Regards,
Mark.

Follow-Ups:
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: Mark Baugher <mbaugher@cisco.com>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: Brian E Carpenter <brian.e.carpenter@gmail.com>

References:
- draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: james woodyatt <jhw@apple.com>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: james woodyatt <jhw@apple.com>
- RE: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: Yaron Sheffer <yaronf@checkpoint.com>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: james woodyatt <jhw@apple.com>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: Truman Boyes <truman@suspicious.org>
- Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
  - From: james woodyatt <jhw@apple.com>

Prev by Date: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Next by Date: RE: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Previous by thread: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Next by thread: Re: draft-ietf-v6ops-cpe-simple-security: filtering encapsulated flows
Index(es):
- Date
- Thread