Re: IPSO - RFC 1108

From: alsontra@hotmail.com
Date: Thu Aug 19 2004 - 23:27:59 GMT-3

• Next message: Patrick Torney: "new to voice"
• Previous message: Patrick Torney: "Re: ISIS is-type vs circuit type"
• Maybe in reply to: alsontra@hotmail.com: "IPSO - RFC 1108"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Howard. I was cuirois because the technology and RFC were mentioned
in the New Cisco Press CCIE pratice labs book. (I think lab four). You've
answered my question!

Thanks,
Alsontra

At 8:12 AM -0700 8/17/04, Joseph D. Phillips wrote:
>That's a damn good question, Alsontra.
>
>----- Original Message -----
>From: <alsontra@hotmail.com>
>To: <ccielab@groupstudy.com>
>Sent: Monday, August 16, 2004 22:26
>Subject: IPSO - RFC 1108
>
>
>> Has anyone narrowed down the requirements for IPSO configuration in the
>R/S
>> lab? The documentation cd is a little lite and the RFC is far too much.
>> Specifically, I would like to know if anyone has considered what parts of
>IPSO
>> are relevant to the test? I am currently reviewing the following
>documents,
>> but would not mind any suggestions as to a better tutorial.
>>
>> http://www.faqs.org/rfcs/rfc1108.html
>>
>>
>http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fse
cu
> > r_c/fothersf/scfipso.htm
It's always a bad idea to generalize, but I really would be surprised
to find anything about IPSO on the lab. Let me put it this way --
back when there were no Learning Partners and every instructor either
worked for or subcontracted for Cisco, I came up with a real-world
application for IPSO, much to the surprise and delight of all.
In practice, it's a very limited security capability, without any
features you can't do better with other methods. ISTR an IETF
discussion about making it Historic.
To really understand its capabilities and applicability, I actually
would suggest the RFC is insufficient; you need a background in such
things as mandatory access control and trusted network interpretation
(i.e., NSA Orange and Red Books). Since there is no cryptographic
authentication on the IPSO header, it's trivially easy to spoof, and
you can, in general, do whatever it does with access lists and
possibly policy routing.

• Next message: Patrick Torney: "new to voice"
• Previous message: Patrick Torney: "Re: ISIS is-type vs circuit type"
• Maybe in reply to: alsontra@hotmail.com: "IPSO - RFC 1108"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Sep 03 2004 - 07:02:46 GMT-3