[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AH (without ESP) on a secure gateway
> To: Stephen Kent <kent@bbn.com>
> cc: Michael Richardson <mcr@sandelman.ottawa.on.ca>, ipsec@tis.com
> Subject: Re: AH (without ESP) on a secure gateway
> Date: Tue, 03 Dec 1996 23:58:30 -0500
> From: Steven Bellovin <smb@research.att.com>
>
> There's a second issue that has come up here -- how does one know which
> the right firewall is? This is one of the points I raised at the last
> IETF meeting; in my opinion, it's very closely related to the naming
> issue and the certificate issue, and we haven't really tackled either
> of those. (See ftp://ftp.research.att.com/dist/smb/ipsec-cert.ps for
> the (few) slides I used.)
I thought there was only one firewall - Cheswick & Bellovin's
collection of components that can't be bypassed. Therefore there
isn't a "right" firewall.
A simplified rendition of one of Stephen Kent's slides illustrates
the context:
+------+ ------------
+-------| FW A |>-----/ \
| +------+ | |
+--------+ | | The Internet | +--------+
| Host 1 |------+ LAN | |----<| Host 6 |
+--------+ | | | +--------+
| +------+ | |
+-------| FW B |>----| |
+------+ \ /
------------
If Host 6 initiates a connection to Host 1, it shouldn't matter whether
the first packet of the SA setup gets routed to box "FW A" or "FW B" -
they are both part of the firewall that isolates Host 1 from the Net.
If the tunnel-mode connection between Host 6 and one of the FW boxes
has properties that depend on where the first packet happens to arrive,
or if Host 6 is able to choose a policy by choosing the tunnel endpoint,
then the firewall probably isn't doing what it's operators intended.
Am I missing a different context to which the question applies?
Follow-Ups: