[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH (without ESP) on a secure gateway




>It's very clear to me that firewall-to-firewall IPSEC -- whether it's
>ESP or AH -- should be done *only* in tunnel mode.  To do otherwise
>is inviting trouble.  In fact, I had thought that was what was done --
>no other possibility had occurred to me.

This is more an implementation issue rather than a standards issue.  If you
have an IPSEC-compliant firewall, then ESP Transport Mode could be used for
firewall-to-firewall encryption.  Vendors should note in their
documentation about possible problems and issues with this mode for
firewall-to-firewall communications.  The documentation should address
threat environments, likelihood of threats, and whether some threats go
away with certain transforms.  Maybe Section 5.1, Use with Firewalls (in
Security Architecture for the Internet Protocol), should provide a
discussion of this issue.   Your concerns also apply to desktop-to-desktop
IPSEC.

An example of standard vs. implementation is key management.  The standard
notes that manual key management can be performed.  I remember reading one
vendor manual that provides a warning that you should not communicate SA
attributes over a cordless telephone.  This is completely outside the scope
of the standard.

   -Brian




Follow-Ups: