[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Authentication using ESP in Transport Mode

To: Rodney Thayer <rodney@sabletech.com>, ipsec@TIS.COM
Subject: Re: Authentication using ESP in Transport Mode
From: Robert Moskowitz <rgm3@chrysler.com>
Date: Wed, 10 Jul 1996 12:38:12 -0400
Sender: ipsec-approval@neptune.tis.com

At 10:38 AM 7/10/96 -0400, Rodney Thayer wrote:
>As we all move closer to actually (gasp!) deploying working code this kind
>of question seems interesting.  Hope I'm not belaboring an old point...
>
>I wonder if you mean you want this:
>

Basically.

>
>So specifically do you mean you want to double encrypt packets at the remote
>node, so that one layer of encryption is stripped at the tunnel endpoint and
>the second layer of encryption is stripped at the other end node?

Maybe not quite.

>The packets would be:
>
>   IPv4                           ...outer header as it travels the net
>     AH                           ...is this needed?
>       ESP                        ...for firewall/tunnel
>         ESP                      ...for remote to internal node
>           original TCP/UDP/etc.  ...real data.

Would the outer ESP be needed for the end-to-end packets (only for the
end-to-gateway authorization?).  Thus there might be 2 classes of packets:

   IPv4                           ...outer header as it travels the net
       ESP                        ...for firewall/tunnel
           original TCP/UDP/etc.  ...tunnel authorization data

   IPv4                           ...outer header as it travels the net
     AH                           ...is this needed?
         ESP                      ...for remote to internal node
           original TCP/UDP/etc.  ...real data.


Of course one thing you have left out here is the issue of routing to the
internal host.  It's IP address is different from the gateway, so perhaps
you do need 2 ESPs as:

   IPv4                           ...outer header as it travels the net
     AH                           ...is this needed?
       ESP                        ...for firewall/tunnel
        IPv4                      ...inner header as it travels the intranet
          ESP                     ...for remote to internal node
           original TCP/UDP/etc.  ...real data.


And it gets worst when the workstation is inside yet another secure domain
and has to go out of its domain, across the public, and then into the
destination secure domain....

>This is an interoperability and operational question, as I understand it the
>technology is agreed upon and should work.

There will be DNS issues and addressing/routing issues as well that will
surface as we try and 'net' this all out.

Robert Moskowitz
Chrysler Corporation
(810) 758-8212

Prev by Date: Re: Authentication using ESP in Transport Mode
Next by Date: Re: Authentication using ESP in Transport Mode
Prev by thread: Re: Authentication using ESP in Transport Mode
Next by thread: Re: Authentication using ESP in Transport Mode
Index(es):
- Main
- Thread