[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Corner-case question




> From: Dan.McDonald@Eng (Dan McDonald)

> Let's go back to my picture:
> 
> > > 	A ==(IPsec through the internet)====== R ------<protected network>----
> 
> Let's assume that R has one IP address.  Let's look at what we want to
> accomplish:
> 
> 	R recieves a packet:
> 
> 		src=B, dst=A, next-hdr=TCP <tcp data>
> 
> 	R wants to transmit:
> 
> 		src=R, dst=A, next-hdr=ESP <encrypted IP packet shown above>
> 
> So how do I get from what I receive to what I transmit?  Let's look at the
> different policy approaches:
> 
> If I have per-route policy, I have routing tables that look like:
> 
> 	Dest		interface	gw	properties
> 	====		=========	==	==========
> 	Int. Network	le0		int. R1	gateway
> 	My subnet	le0		link	on-link
> 	default		le0		int. R2	gateway
> 	A		le0		int. R2 tunnel-mode to A, gateway
> 
> So I receive the B->A packet, I look up its route, and then tunnel it.  I now
> have the R->A packet.  I look up its route, and then tunnel it.  I now have
> the R->A packet....  So a naive implementaiton will loop.  Let's add some
> smarts.  How 'bout if the source address is mine, then I don't tunnel.  Okay,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> this means if I talk to A, I talk to A in the clear.  So what about the bad
> guy inside my net who sends a cleartext packet to A by changing the source
> address to R?  It may be only one datagram, and the returning packets will go
> to R and be dumped, etc., but one forged datagram coming from outside could
> be a problem.  Okay, so I check that it wasn't recieved off the wire....

Would it help to modify the rule as follows:

   if the source address is mine *and* the packet has already been
   processed by IPSEC then don't tunnel again
   
- vipul