[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH (without ESP) on a secure gateway

To: ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Tue, 26 Nov 1996 20:48:27 -0500
In-reply-to: Your message of "Tue, 26 Nov 1996 18:02:47 EST." <199611262302.SAA01876@thunk.orchard.medford.ma.us>
Sender: owner-ipsec@ex.tis.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Bill" == Bill Sommerfeld <sommerfeld@apollo.hp.com> writes:
    Bill> Let's consider the case where you're attempting to add
    Bill> AH/ESP protection to an existing network which *currently
    Bill> uses IP-address based access controls*.  Naturally, you
    Bill> don't want to create security holes while doing this.

    Bill> Let's assume you have a network of cooperating but mutually
    Bill> suspicious organizations, like the auto industry net which
    Bill> Bob Moskowitz is building.

  Let's not forget that Bob's problem is more complicated that you
actually describe :-) [Bob said he was going to write a requirements
document up in June. Did anyone see this from him?]
  But it is a good problem.

    Bill> What stops C from tunnelling a packet to A with a source
    Bill> address on B's network?  You need a policy check that the
    Bill> packet emerging from the tunnel is from a source address
    Bill> which is allowed to use that particular tunnel..

  The way I like to do this is to consider all tunnels to be virtual
interfaces. You can make add routes, etc.. Alas, I still haven't had a
chance to investigate how close that aspect (the "route add -net x.y
tunnel q.r") of the NRL code is to this assumption.
  IP spoof checks (which you say are already in place) can handle this
case without a problem.

  Good IP spoof checks are essentially:
	1. if1 = calculate route to take to reach ip->ip_src if 
		we had to reply.
	2. if interface we received ip on == if1, then okay,
		otherwise it is a spoof.

  These checks would have to be done anyway for the leased line case
for your assumption (C can not impersonate A to B) to be true.

     :!mcr!:            |  Network security consulting and 
   Michael Richardson |      contract programming
 WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.

	
  



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQBVAwUBMpudONTTll4efmtZAQHP2wIAlMI3CxpmJQAJJjGO6L7M3HhsLgudhr3L
i8x4jUusxwi52NOKYvOlANCxknTLrLtxuV6N58UFFBl29v7Z9btUCQ==
=bQB3
-----END PGP SIGNATURE-----

References:

Re: AH (without ESP) on a secure gateway

From: Bill Sommerfeld <sommerfeld@apollo.hp.com>

Prev by Date: Re: AH (without ESP) on a secure gateway
Next by Date: ANNOUNCEMENT: ISOC 1997 SYMPOSIUM NETWORK & DISTRIBUTED SYSTEM SECURITY
Prev by thread: Re: AH (without ESP) on a secure gateway
Next by thread: Re: AH (without ESP) on a secure gateway
Index(es):
- Main
- Thread