On Fri, 2006-10-06 at 05:48 -0700, Mike "Ford" Ditto wrote:
> Right. Specifically, it has been the intention for milestone/network
> to *depend on* IPsec (transport mode) policy and other network layer
> security mechanisms being in place, so that the milestone represents
> the earliest time that most network-listening services may safely
> start ("safely" in the sense that they aren't exposed to attacks due
> to the network layer policy not yet being enforced). IPsec tunnels,
> however, do not need to (and perhaps shouldn't) be set up before
> milestone/network.
What would be the reasoning behind that latter statement?
-Seb
