[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Corner-case question



> Are you having problems with a specific implementation not being flexible
> enough to handle this?

It's not a question of flexibility, it's a question of performing what are a
TON of gyrations to handle a corner case.  Lemme spell it out.

Let's go back to my picture:

> > 	A ==(IPsec through the internet)====== R ------<protected network>----

Let's assume that R has one IP address.  Let's look at what we want to
accomplish:

	R recieves a packet:

		src=B, dst=A, next-hdr=TCP <tcp data>

	R wants to transmit:

		src=R, dst=A, next-hdr=ESP <encrypted IP packet shown above>

So how do I get from what I receive to what I transmit?  Let's look at the
different policy approaches:

If I have per-route policy, I have routing tables that look like:

	Dest		interface	gw	properties
	====		=========	==	==========
	Int. Network	le0		int. R1	gateway
	My subnet	le0		link	on-link
	default		le0		int. R2	gateway
	A		le0		int. R2 tunnel-mode to A, gateway

So I receive the B->A packet, I look up its route, and then tunnel it.  I now
have the R->A packet.  I look up its route, and then tunnel it.  I now have
the R->A packet....  So a naive implementaiton will loop.  Let's add some
smarts.  How 'bout if the source address is mine, then I don't tunnel.  Okay,
this means if I talk to A, I talk to A in the clear.  So what about the bad
guy inside my net who sends a cleartext packet to A by changing the source
address to R?  It may be only one datagram, and the returning packets will go
to R and be dumped, etc., but one forged datagram coming from outside could
be a problem.  Okay, so I check that it wasn't recieved off the wire....

The same can be said for checking policy before routing lookups (which means
two routing lookups more-or-less.)

I didn't say it was tough to figure out, what I did say was that it's a can
of worms.  The above checking is long and painful, and will slow things down.
Perhaps it's the price I must pay for total security.  If that's the case,
then that's a legitimate answer to my questions.

Dan


Follow-Ups: References: