[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AH (without ESP) on a secure gateway
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Bill" == Bill Sommerfeld <sommerfeld@apollo.hp.com> writes:
Bill> Let's consider the case where you're attempting to add
Bill> AH/ESP protection to an existing network which *currently
Bill> uses IP-address based access controls*. Naturally, you
Bill> don't want to create security holes while doing this.
Bill> Let's assume you have a network of cooperating but mutually
Bill> suspicious organizations, like the auto industry net which
Bill> Bob Moskowitz is building.
Let's not forget that Bob's problem is more complicated that you
actually describe :-) [Bob said he was going to write a requirements
document up in June. Did anyone see this from him?]
But it is a good problem.
Bill> What stops C from tunnelling a packet to A with a source
Bill> address on B's network? You need a policy check that the
Bill> packet emerging from the tunnel is from a source address
Bill> which is allowed to use that particular tunnel..
The way I like to do this is to consider all tunnels to be virtual
interfaces. You can make add routes, etc.. Alas, I still haven't had a
chance to investigate how close that aspect (the "route add -net x.y
tunnel q.r") of the NRL code is to this assumption.
IP spoof checks (which you say are already in place) can handle this
case without a problem.
Good IP spoof checks are essentially:
1. if1 = calculate route to take to reach ip->ip_src if
we had to reply.
2. if interface we received ip on == if1, then okay,
otherwise it is a spoof.
These checks would have to be done anyway for the leased line case
for your assumption (C can not impersonate A to B) to be true.
:!mcr!: | Network security consulting and
Michael Richardson | contract programming
WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
iQBVAwUBMpudONTTll4efmtZAQHP2wIAlMI3CxpmJQAJJjGO6L7M3HhsLgudhr3L
i8x4jUusxwi52NOKYvOlANCxknTLrLtxuV6N58UFFBl29v7Z9btUCQ==
=bQB3
-----END PGP SIGNATURE-----
References: