On Mon, 2008-10-20 at 19:57 +0100, Darren J Moffat wrote: > Renee Danson wrote: > > There are several ways to implement this policy: > > > > 1) create ipsec rules that only allow packets related to the needed > > services through > > I don't see any value in using ipsec to do packet filtering when we have > ipfilter
I don't think it's correct to make that statement without digging further into the problem space. ipfilter isn't a functional subset or superset of ipsec policy ipsec policy isn't a functional subset or superset of ipfilter. There isn't very much architecture here, just a historic accretion of multiple implementations of almost the same thing. The 3rd-party nature of ipfilter has historically precluded tighter integration with solaris's IPsec.
