[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Corner-case question
> From: Dan.McDonald@Eng (Dan McDonald)
> Let's go back to my picture:
>
> > > A ==(IPsec through the internet)====== R ------<protected network>----
>
> Let's assume that R has one IP address. Let's look at what we want to
> accomplish:
>
> R recieves a packet:
>
> src=B, dst=A, next-hdr=TCP <tcp data>
>
> R wants to transmit:
>
> src=R, dst=A, next-hdr=ESP <encrypted IP packet shown above>
>
> So how do I get from what I receive to what I transmit? Let's look at the
> different policy approaches:
>
> If I have per-route policy, I have routing tables that look like:
>
> Dest interface gw properties
> ==== ========= == ==========
> Int. Network le0 int. R1 gateway
> My subnet le0 link on-link
> default le0 int. R2 gateway
> A le0 int. R2 tunnel-mode to A, gateway
>
> So I receive the B->A packet, I look up its route, and then tunnel it. I now
> have the R->A packet. I look up its route, and then tunnel it. I now have
> the R->A packet.... So a naive implementaiton will loop. Let's add some
> smarts. How 'bout if the source address is mine, then I don't tunnel. Okay,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> this means if I talk to A, I talk to A in the clear. So what about the bad
> guy inside my net who sends a cleartext packet to A by changing the source
> address to R? It may be only one datagram, and the returning packets will go
> to R and be dumped, etc., but one forged datagram coming from outside could
> be a problem. Okay, so I check that it wasn't recieved off the wire....
Would it help to modify the rule as follows:
if the source address is mine *and* the packet has already been
processed by IPSEC then don't tunnel again
- vipul