[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Corner-case question
> Are you having problems with a specific implementation not being flexible
> enough to handle this?
It's not a question of flexibility, it's a question of performing what are a
TON of gyrations to handle a corner case. Lemme spell it out.
Let's go back to my picture:
> > A ==(IPsec through the internet)====== R ------<protected network>----
Let's assume that R has one IP address. Let's look at what we want to
accomplish:
R recieves a packet:
src=B, dst=A, next-hdr=TCP <tcp data>
R wants to transmit:
src=R, dst=A, next-hdr=ESP <encrypted IP packet shown above>
So how do I get from what I receive to what I transmit? Let's look at the
different policy approaches:
If I have per-route policy, I have routing tables that look like:
Dest interface gw properties
==== ========= == ==========
Int. Network le0 int. R1 gateway
My subnet le0 link on-link
default le0 int. R2 gateway
A le0 int. R2 tunnel-mode to A, gateway
So I receive the B->A packet, I look up its route, and then tunnel it. I now
have the R->A packet. I look up its route, and then tunnel it. I now have
the R->A packet.... So a naive implementaiton will loop. Let's add some
smarts. How 'bout if the source address is mine, then I don't tunnel. Okay,
this means if I talk to A, I talk to A in the clear. So what about the bad
guy inside my net who sends a cleartext packet to A by changing the source
address to R? It may be only one datagram, and the returning packets will go
to R and be dumped, etc., but one forged datagram coming from outside could
be a problem. Okay, so I check that it wasn't recieved off the wire....
The same can be said for checking policy before routing lookups (which means
two routing lookups more-or-less.)
I didn't say it was tough to figure out, what I did say was that it's a can
of worms. The above checking is long and painful, and will slow things down.
Perhaps it's the price I must pay for total security. If that's the case,
then that's a legitimate answer to my questions.
Dan
Follow-Ups:
References: