[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AH (without ESP) on a secure gateway
> David P. Kemp wrote:
> > > From: Steven Bellovin <smb@research.att.com>
> > >
> > > There's a second issue that has come up here -- how does one know which
> > > the right firewall is? This is one of the points I raised at the last
> > > IETF meeting; in my opinion, it's very closely related to the naming
> > > issue and the certificate issue, and we haven't really tackled either
> > > of those. (See ftp://ftp.research.att.com/dist/smb/ipsec-cert.ps for
> > > the (few) slides I used.)
> >
> > I thought there was only one firewall - Cheswick & Bellovin's
> > collection of components that can't be bypassed. Therefore there
> > isn't a "right" firewall.
>
> I think what he means is something you allude to later on when you mention
> setting a policy to choose tunnel endpoints. How do you identify the
> endpoint? How are you assured that FW A is, in fact, the appropriate on
> with which to establish a connection?
>
> >
> > +------+ ------------
> > +-------| FW A |>-----/ \
> > | +------+ | |
> > +--------+ | | The Internet | +--------+
> > | Host 1 |------+ LAN | |----<| Host 6 |
> > +--------+ | | | +--------+
> > | +------+ | |
> > +-------| FW B |>----| |
> > +------+ \ /
> > ------------
> >
> > If Host 6 initiates a connection to Host 1, it shouldn't matter whether
> > the first packet of the SA setup gets routed to box "FW A" or "FW B" -
> > they are both part of the firewall that isolates Host 1 from the Net.
>
> If the packet is addressed to Host 1 I would imagine either FW A or FW B
> would drop it-- else they're not very good firewalls. Host 6 must decide what
> the encrypting firewall for host 1 is-- what is the "right" firewall-- and
> address packets to it. That is the crux of the problem. Once the SAs between
> FW (whatever) and Host 6 are established it's plain old tunnel mode IPsec:
>
> [IP:host6->FWx] [ESP] [IP:host6->host1] [blah]
>
> Dan.
Basically. More to the point, you want to make sure that hackers-r-us.edu
doesn't claim to the the firewall for spooks.nsa.gov (or some such).
Either spooks.nsa.gov or nsa.gov can delegate such control -- and we need
mechanisms to check that.