Corner-case question

[Dan.McDonald@eng.sun.com (Dan McDonald)]

Hello folks!

I've a specific question about a corner-case involving router-to-host
tunnels.  Consider the following:

	A ==(IPsec through the internet)====== R ------<protected network>----

Say host A is a host that reaches the protected network via an IPsec tunnel
to router R.

My question is:	Is it possible/practical for R to have a single IP address,
		and the only way it is being "a router" is that it forwards
		packets tunnelled to it to its peers inside the protected
		network?  (Remember, a router is a machine that forwards
		packets.  That's the extent of the definition.)

If the answer to my question is yes, there's a small can of worms that opens
up regarding the routing tables on R (that exercise is left to the reader for
now).  If the answer to my question is no, there's a smaller policy question.
I'll assume the answer to my question is no, so I'll pose the smaller policy
question:

Policy question:	Assume R has two addresses, one with the prefix of
			the protected network (Rp), the other with a prefix
			that is reachable from the Internet (Ri).  If A talks
			sends datagrams to Ri (as a destination), do they
			have to be tunnelled?  Or do we assume R is smart
			enough to know that packets from Ri are to be trusted
			less than packets from Rp.

I suspect we should assume that R is smart enough to know the difference
between the two interfaces.  Otherwise, besides complicating R's life, A's
life becomes VERY complicated, if A is a machine that reaches the rest of the
Internet (including Ri) through a default route.  THIS can of worms is a
similar one to the can of worms I left as an exercise to the reader.  (BTW,
if A wants to talk to R securely, it can either talk to Rp, or it can set up
per-session IPsec to Ri.)

I suspect my previous suspicions, NO (or at least not practical) to the first
question, and NO (packets coming in on Ri can be clear, can't be trusted by
themselves), are the "correct" answers.  If not, we've a small can of worms
we need to discuss involving routing and/or invasive policy.

I think the ANX crowd may have thought about these, given Bob's penchant for
laptops on the road.  Perhaps Bob's VPN draft addresses this problem, but I
haven't read that yet.

Dan

---

Follow-Ups:

• Corner-case question
• From: Ben Rogers <ben@Ascend.COM>
• Re: Corner-case question
• From: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>
• Re: Corner-case question
• From: Robert Moskowitz <rgm3@chrysler.com>

---

• Prev by Date: RE: PKCS 7 + PKCS 10 Proposal
• Next by Date: Re: New SPI when renegotiate keys?
• Prev by thread: Re: Directions for ESP and AH?
• Next by thread: Corner-case question
• Index(es):
  • Main
  • Thread