[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re[2]: AH (without ESP) on a secure gateway




Steve,

I agree with you.  My statement was too strong.  I did suggest that these
issues (issue of tunnel mode only for firewall-to-firewall communications
raised by Steve Bellovin) be discussed in one or more of the RFCs (e.g.,
Section 5.1, Use With Firewalls, in Security Architecture for Internet
Protocol).  The point I was making (or tried to make) is that the selection
of particular configurable options or parameters defined in a standard may
not be safe for specific threat environments.  If these issues (or red
flags) (with particular IPSEC configurations) are not dicussed in the
standard then they should be discussed in vendor product literature.

   -Brian


>Bill,
>
>        You were absoluitely right to raise this issue; the debate that
>ensued, on both sides, clearly showed the need for the discussion.  I think
>the architecture and AH specs have not been clear about this.  In fact, I
>am willing to bet that my re-write didn't get this right either!  Contrary
>to the suggestion made by Brian McKenney, I do think this is a standards
>issue.  If two security gateways (to use the terminology in the IPSEC
>documents) choose to use AH in transport mode between themselves, to create
>an authentticated and integrity protected securiry association for all
>traffic between the sites, this will impinge on the ability of subscriber
>hosts served by these gatewatys to make use of AH in transport mode.  Thus,
>to avoid deployment of security gateways that can be configured in a
>fashion that would cause such problems, and because there are alternative
>IPSEC configurations that will achieve the desired security goals, I think
>it imperative that the standards prohibit this use of AH.
>
>Steve