[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AH (without ESP) on a secure gateway

To: Daniel Harkins <dharkins@cisco.com>
Subject: Re: AH (without ESP) on a secure gateway
From: Steven Bellovin <smb@research.att.com>
Date: Wed, 04 Dec 1996 21:26:05 -0500
cc: dpkemp@missi.ncsc.mil (David P. Kemp), ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

> David P. Kemp wrote:
> > > From: Steven Bellovin <smb@research.att.com>
> > > 
> > > There's a second issue that has come up here -- how does one know which
> > > the right firewall is?  This is one of the points I raised at the last
> > > IETF meeting; in my opinion, it's very closely related to the naming
> > > issue and the certificate issue, and we haven't really tackled either
> > > of those.  (See ftp://ftp.research.att.com/dist/smb/ipsec-cert.ps for
> > > the (few) slides I used.)
> > 
> > I thought there was only one firewall - Cheswick & Bellovin's
> > collection of components that can't be bypassed.  Therefore there
> > isn't a "right" firewall.
> 
> I think what he means is something you allude to later on when you mention
> setting a policy to choose tunnel endpoints. How do you identify the
> endpoint? How are you assured that FW A is, in fact, the appropriate on
> with which to establish a connection?
> 
> > 
> >                          +------+       ------------
> >                  +-------| FW A |>-----/            \
> >                  |       +------+     |              |
> >  +--------+      |                    | The Internet |     +--------+
> >  | Host 1 |------+ LAN                |              |----<| Host 6 |
> >  +--------+      |                    |              |     +--------+
> >                  |       +------+     |              |
> >                  +-------| FW B |>----|              |
> >                          +------+      \            /
> >                                         ------------
> >
> > If Host 6 initiates a connection to Host 1, it shouldn't matter whether
> > the first packet of the SA setup gets routed to box "FW A" or "FW B" -
> > they are both part of the firewall that isolates Host 1 from the Net.
> 
> If the packet is addressed to Host 1 I would imagine either FW A or FW B
> would drop it-- else they're not very good firewalls. Host 6 must decide what 
> the encrypting firewall for host 1 is-- what is the "right" firewall-- and 
> address packets to it. That is the crux of the problem. Once the SAs between
> FW (whatever) and Host 6 are established it's plain old tunnel mode IPsec:
> 
>     [IP:host6->FWx] [ESP] [IP:host6->host1] [blah]
> 
>   Dan.

Basically.  More to the point, you want to make sure that hackers-r-us.edu
doesn't claim to the the firewall for spooks.nsa.gov (or some such).
Either spooks.nsa.gov or nsa.gov can delegate such control -- and we need
mechanisms to check that.

Prev by Date: Re: AH (without ESP) on a secure gateway
Next by Date: Re: Re[2]: AH (without ESP) on a secure gateway
Prev by thread: Re: AH (without ESP) on a secure gateway
Next by thread: AH (without ESP) on a secure gateway
Index(es):
- Main
- Thread