Security is a matter of architecture and end-to-end design. Several mechanisms are used to achieve an efficient balance with complexity. Features and security protocols are only building blocks.
IPsec and IKE are not the only features that protect a network and routing as a security policy really is not a problem until shown otherwise. Again, I urge you to be specific because there is nothing tangible in your claims. I understand what you mean but if you rationalized it, you would see your intuition fools you. On 16 Nov 2011, at 14:17, Yoav Nir wrote: > > On Nov 16, 2011, at 1:45 PM, Tero Kivinen wrote: > >> Yoav Nir writes: >>>> So you still didn't explain what GRE does better than modern IPsec >>>> tunneling? >>> >>> I think GRE (or any tunnel that is not IPsec - like L2TP) allows >>> them to avoid having to deal with RFC 4301 stuff like SPD. The only >>> selector they need is for the GRE tunnel (protocol 43?) or the L2TP >>> tunnel (UDP 1701). >> >> I.e. bypass the security mechanishms provided the security protocol. > > Yes! > >>> That means that your security policy is effectively determined by >>> the routing protocol. >> >> I.e. move the security from the security protocol to something else >> which is not a security protocol. Is this really something we want to >> do? > > Define "we" > >> Who is going to make sure the end result is secure? > > The customer > > _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
