[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

scenario: Authenticated Firewall Traversal



An administrator has one or more networks, and a number of mobile users.
It is desirable to restrict access to authorized external users. The
boundary router is 3.0.0.3.

Each user adds commands to tunnel and authenticate.

   route addp 3.0.0.0/8 tunnel 3.0.0.3
   secure 3.0.0.3 authenticate-only

In this example, the administrator gives each user a different username
and password, together with a separate username and password for the
router. (A lazy administrator can simply give one username and password
to all users for both the user and the router, as described previously.)

   user "wanderer" "faldaree"
   user "router" "faldarah"

The mobile host is assigned a temporary local IP address (4.0.0.4).

When the first datagram is generated destined for a node on net 3, the
routing table indicates that it should be encapsulated for 3.0.0.3.
However, the more specific routing table entry for 3.0.0.3 indicates
that authentication is required. None is currently available, so the
encapsulated datagram is tossed in the bit-bucket, and a Photuris
exchange is initiated instead.

The Photuris exchange proceeds exactly as previously described, except
that two Identifications are involved. Router 3.0.0.3 may be configured
with all the usernames permitted, or more likely will access an external
database of usernames and passwords using a mechanism such as RADIUS.

Even though router 3.0.0.3 includes DES-CBC-32 in its Attribute-Choices,
the mobile node configuration does not require that every datagram be
encrypted. That is, the specific policy of this mobile node is that an
AH be added whenever traffic is sent to 3.0.0.3, but that no ESP is
used.

In this example, the boundary router has no configured policy with
respect to the mobile node. This would be difficult, as the actual IP
address assignment is unpredictable.

However, a serendipitous SPI has been created by the mobile node. When
the router prepares to forward a datagram from inside net 3, it will
discover that the routing table entry for 4.4.4.4 includes a security
association. The router implementor could legitimately use that SPI for
AH and/or ESP in the absence of contrary policy configuration.

Therefore, the mobile node must be capable of receiving encapsulated
authenticated and/or encrypted traffic using its SPI. It must also be
capable of receiving unauthenticated and unencrypted traffic.

Bill.Simpson@um.cc.umich.edu
          Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2