From: "Perry E. Metzger" <perry@imsi.com>
Date: Tue, 13 Dec 94 11:11:12 PST
To: "Kipp E.B. Hickman" <kipp@warp.mcom.com>
Subject: Re: IPSP and Netscape
In-Reply-To: <9412131057.ZM18561@warp.mcom.com>
Message-ID: <9412131910.AA12716@snark.imsi.com>
MIME-Version: 1.0
Content-Type: text/plain



"Kipp E.B. Hickman" says:
> A (probably naive) question: If IPSP is essentially "tunnelling",
> don't sysadmin's and the like get concerned that now their fancy
> routers etc. can no longer shield certain classes of unwanted
> traffic?

You are right that an encrypted IPSP packet can't be "peeked into" and
thus can't be selectively blocked by a filtering router. There is,
however, a notion in the IPv6 version (will be in the v4 version if I
have anything to do with it) of a "transparent authentication header"
which allows you to achieve authentication without privacy for those
situations that require the ability to filter packets at a firewall.

Overall, however, IPSP reduces (but does NOT by any means eliminate)
the need for firewalls, because IPSP packets can be fully private and
authenticated and thus can't be hijacked.

Perry