>(I think everyone will agree that we have endless >debates about what layering is allowed!) It seems like any layering should be allowed. A harder question is determining if there should be a mandate for minimum support of layering required in a conformant IPsec implementation. For now it seems premature to mandate support for specific layering configuration, but it would be useful to document some common useful configurations. Paul -------------------------------------------------------------- Paul Lambert Director of Security Products Oracle Corporation Phone: (415) 506-0370 500 Oracle Parkway, Box 659410 Fax: (415) 413-2963 Redwood Shores, CA 94065 palamber@us.oracle.com !!! Hiring, send resumes to: palamber@us.oracle.com !!! --------------------------------------------------------------
-- BEGIN included message
- To: PALAMBER@us.oracle.com
- Subject: Re: IPsec Minutes from Montreal
- From: "Michael Richardson " <mcr@milkyway.com>
- Date: 06 Aug 96 10:30:16
In a galaxy far, far away, : 05 Aug 1996 16:34:53 PDT > A firewall vendor gave a talk on using IPSEC with firewalls, as a > followup to mobile IP problem of getting mobile IP traffic out of a foreign > domain. Asssume a model where presence of valid AH is required for firewall > traversal, in either direction. The initially presented model looks at > traversing a single firewall, nominally at the home agent permieter. The > second model presented shows foreign and home firewalls. The talk points out >- > the need for multiple, layered SAs, from MN-to-firewall-1, then maybe between >- > firewalls, then from HA to firewall-2, and eventually one SA above these to > carry forwarded traffic from HA to MN. Speaker notes the problems of being > able to transmit the mobile IP messages, ICMP messages, and key management > messages through firewalls as a precursor to establishing SAs in this complex >- > environment. The bottom line is that one has to look carefully at the rules > that firewalls employ to determine what traffic will be allowed across, as Up to this point, I agree with the minutes. > this might cause serious problems for SA establishment, especially for mobile >- > IP case. However, the proposed solution is pretty complex and there are My perspective is that mobile IP is simply the tip of the iceberg. A good part of the IPsec architecture makes space for security gateways and the like. (I think everyone will agree that we have endless debates about what layering is allowed!) > easier approaches to dealing with this problem in the mobile IP case, e.g., > co-locating FAs and HAs with firewalls, or establishing long term SAs, betwee >-n > HAs and FAs and their local firewalls, to facilitate forwarding of mobile IP > traffic. This doesn't solve the general problem. Does this general problem really exist? Yes: I should point out that Bob Moskowitz's problem is very highly related. (This might not be clear to some, but remember that I build application layer firewalls. I fear to be too partisan if I were to describe how I'd use IPsec+application layer firewalls to solve his problems. Besides, I haven't seen his requirements document yet... Bob?) -- mcr@milkyway.com | <A HREF="http://www.milkyway.com/">Milkyway Networks Corporation</A> Michael C. Richardson | Makers of the Black Hole firewall Senior Research Specialist | info@milkyway.com for BlackHole questions Home: <A HREF="http://www.sandelman.ocunix.on.ca/People/Michael_Richardson/Bio .html">mcr@sandelman.ocunix.on.ca</A>. "In a razor of Love." "Voodoo People! Magic People! Voodoo People! Magic People!"
-- END included message