[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AH (without ESP) on a secure gateway
> From: "Whelan, Bill" <bwhelan@nei.com>
> >But this potential conflict is not necessarily fatal, is it? Assuming
> >cooperating firewalls, the conflict can exist and be irrelevant. The
> >firewalls unwrap outer headers according to their notions of the SA
> >mappings, and the end hosts unwrap inner headers according to their
> >notions. Conflicts are invisible as long as the firewalls are in
> >place.
>
> Outer headers and inner headers? Per RFC1826, the Authentication Header
> sits between the IP header and the upper layer protocol. It appears the
> same whether it's inserted by the host system or the gateway.
>
This makes no sense to me at all. Since the SPI is relative to the
Destination, and supposedly protects the IP Header, I do not understand
this assumption that AH or ESP could or should ever be inserted/removed
by a router/firewall.
That is, only "tunneling" should be used for secure communication to or
between firewall/routers, with SPIs that reflect the firewall
Destination, not the host Destination.
Besides, what would you do if there were multiple firewall paths to the
same host? Or when communicating securely to an "intranet" Destination,
passing no firewalls at all? The Destination host could be assigning
that same SPI to a different session that travels a different path!
That way lies madness....
And I'm sure that we covered this on this list over 2 years ago. This
means that the "architecture" document is inadequate....
WSimpson@UMich.edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2