[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH (without ESP) on a secure gateway

To: ben@ascend.com (Ben Rogers)
Subject: Re: AH (without ESP) on a secure gateway
From: "C. Harald Koch" <chk@border.com>
Date: Tue, 26 Nov 1996 19:12:50 -0500
cc: Bill Sommerfeld <sommerfeld@apollo.hp.com>, "Whelan, Bill" <bwhelan@nei.com>, ipsec@tis.com
In-reply-to: ben's message of "Tue, 26 Nov 1996 17:30:19 -0500". <199611262230.RAA27739@carp.morningstar.com>
Organization: Secure Computing Canada Ltd.
Phone: +1 416 368 7157
References: <9610258489.AA848977264@netx.nei.com> <199611261929.OAA01715@thunk.orchard.medford.ma.us> <199611262230.RAA27739@carp.morningstar.com>
Sender: owner-ipsec@ex.tis.com

In message <199611262230.RAA27739@carp.morningstar.com>, Ben Rogers writes:
> 
> It seems to me that gatewayA should never try to place an AH, nor do an
> ESP encapsulation on the packet using transport mode (assuming that
> gatewayA did not originate the packet).  A gateway that put IPSEC
> headers on packets in transport mode would not only cause confusing
> problems like this, but would have severe problems dealing with
> fragmented packets.

and 

> It makes sense to only check the headers on packets that are destined
> for the local machine.  Otherwise, we would be intercepting (and
> probably modifying) packets not destined to that machine, and violating
> many of the ideas that make IP work.  Thus, I don't see any reason that
> a gateway could use transport mode to tack on an AH to a packet from
> hostA to hostB.

I disagree. The counter example: firewalls (or John Gilmore's "cryptowalls").

I see an incredible advantage for firewalls to add IPsec information to
packets, acting as proxies for the machines they're protecting. Keeps all
your Security Association information in one place, where it can be easily
configured and monitored.

People aren't going to start ripping out their firewalls just because they
have IPsec support on their hosts; firewalls allow much more security
control than IPsec does.  (Analogy: you don't unlock the front door just
because everyone can lock their own filing cabinets).

You also write:

> Why?  I believe the RFC states that the Security Association(SA) is
> chosen using only the destination address and the SPI.  It doesn't seem
> to be illegal for several hosts to send us packets using the same
> Security Association (SPI).

A security association is *indexed* by destination address and SPI. However,
It can include information about the source, including strong authentication
checks, and instructions to reject packets from an invalid IP address. It's
not illegal for several hosts to using the same SPI, but it's also not
secure (it would allow all hosts with the same keying information to spoof
each other, for example).

I think it's much more likely that a host would enforce the use of different
SPIs (and different keys) for each different source host.

-- 
C. Harald Koch          | Senior System Developer, Secure Computing Canada Ltd.
chk@border.com          | 20 Toronto Street, Suite 400, Toronto ON M5C 2B8
+1 416 368 7157 (voice) | "Madness takes its toll. Please have exact change."
+1 416 368 7789 (fax)   |		-Karen Murphy <karenm@descartes.com>

Follow-Ups:

Re: AH (without ESP) on a secure gateway

From: Ben Rogers <ben@morningstar.com>

References:

AH (without ESP) on a secure gateway

From: "Whelan, Bill" <bwhelan@nei.com>

Re: AH (without ESP) on a secure gateway

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

Re: AH (without ESP) on a secure gateway

From: Ben Rogers <ben@morningstar.com>

Prev by Date: Re: AH (without ESP) on a secure gateway
Next by Date: Re: AH (without ESP) on a secure gateway
Prev by thread: Re: AH (without ESP) on a secure gateway
Next by thread: Re: AH (without ESP) on a secure gateway
Index(es):
- Main
- Thread