[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AH (without ESP) on a secure gateway
David P. Kemp wrote:
> > From: Steven Bellovin <smb@research.att.com>
> >
> > There's a second issue that has come up here -- how does one know which
> > the right firewall is? This is one of the points I raised at the last
> > IETF meeting; in my opinion, it's very closely related to the naming
> > issue and the certificate issue, and we haven't really tackled either
> > of those. (See ftp://ftp.research.att.com/dist/smb/ipsec-cert.ps for
> > the (few) slides I used.)
>
> I thought there was only one firewall - Cheswick & Bellovin's
> collection of components that can't be bypassed. Therefore there
> isn't a "right" firewall.
I think what he means is something you allude to later on when you mention
setting a policy to choose tunnel endpoints. How do you identify the
endpoint? How are you assured that FW A is, in fact, the appropriate on
with which to establish a connection?
>
> +------+ ------------
> +-------| FW A |>-----/ \
> | +------+ | |
> +--------+ | | The Internet | +--------+
> | Host 1 |------+ LAN | |----<| Host 6 |
> +--------+ | | | +--------+
> | +------+ | |
> +-------| FW B |>----| |
> +------+ \ /
> ------------
>
> If Host 6 initiates a connection to Host 1, it shouldn't matter whether
> the first packet of the SA setup gets routed to box "FW A" or "FW B" -
> they are both part of the firewall that isolates Host 1 from the Net.
If the packet is addressed to Host 1 I would imagine either FW A or FW B
would drop it-- else they're not very good firewalls. Host 6 must decide what
the encrypting firewall for host 1 is-- what is the "right" firewall-- and
address packets to it. That is the crux of the problem. Once the SAs between
FW (whatever) and Host 6 are established it's plain old tunnel mode IPsec:
[IP:host6->FWx] [ESP] [IP:host6->host1] [blah]
Dan.
References: