[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: notes from developer's portion of IETF meeting

To: Uwe Ellermann <Ellermann@fwl.dfn.de>
Subject: Re: notes from developer's portion of IETF meeting
From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
Date: Thu, 24 Apr 1997 17:06:52 +0100
cc: ipsec@tis.com, ho@earth.hpc.org, adams@cisco.com
In-reply-to: Your message of "Thu, 24 Apr 1997 09:12:33 +0200." <199704240712.JAA03901@wave.fwl.dfn.de>
Sender: owner-ipsec@ex.tis.com

-----BEGIN PGP SIGNED MESSAGE-----


In message <199704240712.JAA03901@wave.fwl.dfn.de>, Uwe Ellermann writes:
>
>Considering a VPN scenario using tunnel-mode ESP, mandatory
>integrity for ESP wouldn't gain much more security, iff all
>tunneled IP packets are already required to use AH by the 
>site's policy. It should be possible to save the additional 
>overhead of applying integrity mechanisms twice (ie. AH and ESP) 
>on the same data.

So your end host is creating packets with an AH header. Who can verify
this AH header ?
- - Your local firewall: Not useful in the general case. All it does it
  further assure the firewall that you're who you claim you are. But
  since the packets appear on the trusted network, this is already
  implied. In this case, the local firewall would strip that header,
  add an ESP(*) header to the remote firewall and send the packet out.

- - The remote end host: How would the remote firewall know when to let
  packets in ? Remember, it can't verify them. In this case, your
  local firewall would add the ESP header to prove to the other
  firewall that the packet came from a trusted network (VPN and all 
  that). Usually, this AH SPI would be established after the firewalls
  themselves have established an ESP SPI.

- - The remote firewall: In that case, you don't really need the local
firewall to do anything; you should use ESP to the remote firewall,
and the local firewall should do nothing. This would imply that your
administrator trusts you not to violate the VPN. If he doesn't, then
you shouldn't be able to establish an SPI with the remote
firewall/host in the first place (wouldn't allow the KMP to run in
proxy mode, or whatever it's called today).

- - A (sub)set of the above: we don't have group shared keys (yet ?).

(*) ESP with authentication

So i think the scenario you presented is unrealistic.
- -Angelos


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBM1/La70pBjh2h1kFAQFw8QP/aUZQ+RPttO4kr6K1W44NBaVV86tPpBNU
zVl7VVF3bYILoqmLvFuYeehAr5b5WWJL51wlYU8lH6tpCXMAZAxWzFmopHjGTQxj
XM4SQIVdxAshW59zsmkcSIHCWR+Hqqfn0AEHde0x6YhNMp8WjETesvzamfIIM5r1
Wys6kEgz/DU=
=i+KC
-----END PGP SIGNATURE-----

References:

RE: notes from developer's portion of IETF meeting

From: Uwe Ellermann <Ellermann@fwl.dfn.de>

Prev by Date: RE: notes from developer's portion of IETF meeting
Next by Date: policy versus protocol
Prev by thread: RE: notes from developer's portion of IETF meeting
Next by thread: Re: notes from developer's portion of IETF meeting
Index(es):
- Main
- Thread