Re: AH in tunnel mode

[Bernhard Schneck <Bernhard_Schneck@genua.de>]

In message <2.2.32.19960820184342.00ab80cc@mailserv-H.ftp.com>you write:
 > - Virtual Private Networks: If an organization is geographically separated
 > and all the packets going from one subnet to the other needs to be
 > authencticated, then the packets can be authenticated by the border
 > gateways(routers). This is of value if and only if the border gateways dont
 > accept any unauthenticated packets. The border gateways (routers) MUST NOT
 > be willing to do key management or IPsec with nodes that are not authorised
 > to participate in the VPN.  

I assume if a filtering component supports tunnel mode AH, it will
have the capability to distinguish between packets received with and
without AH and combine this with IP filtering.

Eg:	allow from <remote subnet> to <local subnet> if AH
	deny  from <remote subnet> to <local subnet> without AH

Anyone trying to spoof remote subnet addresses would have to spoof AH.
This should provide sufficient protection (IMHO, iff we trust AH).

As to doing key management with other entities, if you want to do
that you'll have to include filtering capabilities on SAs/SPIs
(``I'll do AH with anyone, but they won't be able use <remote subent>
adresses unless they use the SPI associated with that net'').

\Bernhard.

---

References:

• AH in tunnel mode
• From: Naganand Doraswamy <naganand@ftp.com>

---

• Prev by Date: Re: AH in tunnel mode
• Next by Date: Re: SPIs and SKIP (was "user" and "network" ..)
• Prev by thread: Re: AH in tunnel mode
• Next by thread: Re: AH in tunnel mode
• Index(es):
  • Main
  • Thread