[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

scenario: Automated Firewall Bypass

To: ipsec@ans.net
Subject: scenario: Automated Firewall Bypass
From: "William Allen Simpson" <bsimpson@morningstar.com>
Date: Wed, 25 Oct 95 15:40:42 GMT

Although the previous examples may be adequate in early stages of
deployment, where many nodes have not been upgraded to include Internet
Security, the "ultimate goal" is direct IP connectivity. This is
particularly required when both nodes are mobile, and there are no fixed
well-known routers between them. This will also reduce configuration,
and facilitate network renumbering.

Instead of relying on an administrator, the users are empowered to
select their own usernames and passwords. They may change them at any
time with the standard tools provided by their operating systems. (A
lazy user can simply have one username and password on all systems, as
described previously.)

   user "myself@laptop.somewhere" "o,wabm,"
   user "myself@desktop.somewhere" "o,wabd!"

The user may find it convenient (or be required by the operating system)
to use a more formal naming syntax (above), simply to keep the many
accessible systems separate.

When the laptop is attempting to access the desktop, it may be
obstructed by an intervening router acting as a firewall. This is
indicated by receipt of the ICMP message Destination Unreachable:
Communication Administratively Prohibited (Type 3, Code 13).

The Photuris exchange proceeds as previously described, except that
rather than sending to the firewall, the exchange is attempted to the
actual target system first. This will work when the firewall is capable
of passing Photuris datagrams, as well as AH and ESP protected
datagrams.

If the implementation continues to receive ICMP messages in response to
the Cookie_Request, it should abandon the exchange and attempt a
Photuris exchange with the intervening router instead. This may be
problematic when the router does not have a public-key form of signature
available, as by definition the user has not configured the presence of
this router. Such a mechanism is outside the scope of this document.

Bill.Simpson@um.cc.umich.edu
          Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2

Prev by Date: CFP: Special issue on ATM Switching
Next by Date: scenario: Multi-User Access Control
Prev by thread: CFP: Special issue on ATM Switching
Next by thread: scenario: Multi-User Access Control
Index(es):
- Main
- Thread