[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH (without ESP) on a secure gateway

To: ben@ascend.com (Ben Rogers)
Subject: Re: AH (without ESP) on a secure gateway
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Tue, 26 Nov 1996 18:02:47 -0500
Cc: "Whelan, Bill" <bwhelan@nei.com>, ipsec@tis.com
In-Reply-To: ben's message of Tue, 26 Nov 1996 17:30:19 -0500. <199611262230.RAA27739@carp.morningstar.com>
Sender: owner-ipsec@ex.tis.com

> > The "policy engines" on each end need to be sophisticated enough to
> > deal with things like this.  In particular, if ip-address based access
> > controls are in use, then the policy engine should probably do
> > consistency checks between the SPI and the source address..
> 
> Why?  I believe the RFC states that the Security Association(SA) is
> chosen using only the destination address and the SPI.  It doesn't seem
> to be illegal for several hosts to send us packets using the same
> Security Association (SPI).

All things which aren't illegal aren't necessarily also good ideas.

> It makes sense to only check the headers on packets that are destined
> for the local machine.  Otherwise, we would be intercepting (and
> probably modifying) packets not destined to that machine, and violating
> many of the ideas that make IP work.  Thus, I don't see any reason that
> a gateway could use transport mode to tack on an AH to a packet from
> hostA to hostB.

Let's consider the case where you're attempting to add AH/ESP
protection to an existing network which *currently uses IP-address
based access controls*.  Naturally, you don't want to create security
holes while doing this.

Let's assume you have a network of cooperating but mutually suspicious
organizations, like the auto industry net which Bob Moskowitz is
building.

For simplicity, let's assume orgs A, B, and C, connected in a "full
mesh" of leased lines (A-B, A-C, and B-C).  Assume filtering routers
on each leased line, so that C can't impersonate B when communicating
with A.  We now want to migrate to IPSEC without causing a flag day.

Let's start by replacing the leased line between C and A with a tunnel
over an untrusted network protected with AH or ESP.

What stops C from tunnelling a packet to A with a source address on
B's network?  You need a policy check that the packet emerging from
the tunnel is from a source address which is allowed to use that
particular tunnel..

For a particularly extreme example, assume that A and B are divisions
of the same company, and that C is a division of a different company
which is simultaneously a supplier and a competitor of the first
company.

					- Bill

Follow-Ups:

Re: AH (without ESP) on a secure gateway

From: Ben Rogers <ben@morningstar.com>

Re: AH (without ESP) on a secure gateway

From: Karl Fox <karl@ascend.com>

Re: AH (without ESP) on a secure gateway

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

Re: AH (without ESP) on a secure gateway

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:

Re: AH (without ESP) on a secure gateway

From: Ben Rogers <ben@morningstar.com>

Prev by Date: Re: AH (without ESP) on a secure gateway
Next by Date: Re: AH (without ESP) on a secure gateway
Prev by thread: Re: AH (without ESP) on a secure gateway
Next by thread: Re: AH (without ESP) on a secure gateway
Index(es):
- Main
- Thread