Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

To: Yoav Nir <ynir at checkpoint.com>, gabriel montenegro <g_e_montenegro at yahoo.com>, Tero Kivinen <kivinen at iki.fi>
Subject: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
From: "Grewal, Ken" <ken.grewal at intel.com>
Date: Tue, 10 Feb 2009 14:33:35 -0700
Accept-language: en-US
Acceptlanguage: en-US
Cc: "ipsec at ietf.org" <ipsec at ietf.org>, Dragan Grebovich <dragan at nortel.com>
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <9FB7C7CE79B84449B52622B506C78036130B76C899 at il-ex01.ad.checkpoint.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <34B3EAA5B3066A42914D28C5ECF5FEA418762035 at zrtphxm2.corp.nortel.com> <18824.17079.363126.331101 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4830CDF22E0 at rrsmsx505.amr.corp.intel.com> <18826.54339.452491.244002 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4830D0DD886 at rrsmsx505.amr.corp.intel.com> <18832.15242.707313.57888 at fireball.kivinen.iki.fi>, <27014.28749.qm at web82605.mail.mud.yahoo.com> <9FB7C7CE79B84449B52622B506C78036130B76C899 at il-ex01.ad.checkpoint.com>
Thread-index: AcmLtBkaaAcjn1BDRc+uWLeknCrm0QABN9oIAAIKFxA=
Thread-topic: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

Stateless firewalls are commonly employed for efficiency and as a crude method for cutting off access to certain services - these are useful for basic access control in cost effective, high bandwidth, network scenarios. E.g. Corporations may not want to allow various P2P protocols, discovery of resources, access to certain services (especially if using UDP as the underlying protocol), remote access/management to certain resources from outside well established network boundaries, etc., etc.. There are thousands of well defined ports providing different services from legacy, experimental, to the 'latest, greatest, service of the day' - and someone just found an exploit for and there is no fix available! How do you ensure that your network doesn't get inundated with unwanted traffic or exploited? Block that port!!

Stateless firewalls can and do provide the fundamental building blocks for basic access control. In these scenarios, the need to differentiate between encrypted / NULL ESP traffic is required to enforce these policies, without the need or burden of keeping state on 'connections' or 'security sessions'.

Thanks, 
- Ken

>-----Original Message-----
>From: ipsec-bounces at ietf.org [mailto:ipsec-bounces at ietf.org] On Behalf Of
>Yoav Nir
>Sent: Tuesday, February 10, 2009 11:52 AM
>To: gabriel montenegro; Tero Kivinen; Grewal, Ken
>Cc: ipsec at ietf.org; Dragan Grebovich
>Subject: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
>
>gabriel montenegro wrote:
>
>>I'll just comment on one item below:
>>
>>> As the draft says this is mostly meant for stateful devices, and that
>>> has been the main goal for the document. The charter says:
>>>
>>> "A standards-track mechanism that allows an intermediary device, such
>>> as a firewall or intrusion detection system ..."
>>>
>>> I.e. the main goal was set to be on the devices doing deeper
>>> inspection i.e. firewalls and intrusion detection systems.
>>
>>Disagree completely. The charter item is a general one for intermediary
>devices
>>(some of which are and are expected to continue being stateless).
>>
>>The above was just an example.
>
>OK, so give us a counter-example. Why would a stateless device want to be
>able to tell the difference between ESP-AES-CBC and ESP-NULL.  What policy
>is it trying to enforce?
>
>
>
>
>Email secured by Check Point
>_______________________________________________
>IPsec mailing list
>IPsec at ietf.org
>https://www.ietf.org/mailman/listinfo/ipsec

Follow-Ups:
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Paul Hoffman

References:
- [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Dragan Grebovich
- [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: gabriel montenegro
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Yoav Nir

Prev by Date: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Next by Date: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Previous by thread: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Next by thread: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Index(es):
- Date
- Thread

Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.