[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Corner-case question



At 02:03 PM 8/6/97 -0700, Dan McDonald wrote:
>
>I've a specific question about a corner-case involving router-to-host
>tunnels.  Consider the following:
>
>	A ==(IPsec through the internet)====== R ------<protected network>----
>
>Say host A is a host that reaches the protected network via an IPsec tunnel
>to router R.
>
>My question is:	Is it possible/practical for R to have a single IP address,
>		and the only way it is being "a router" is that it forwards
>		packets tunnelled to it to its peers inside the protected
>		network?  (Remember, a router is a machine that forwards
>		packets.  That's the extent of the definition.)
>
As you all know, I have paced many a hall pondering senarios like this.  My
VPN draft does not seem to be coming out, so I will post it to this list
soon if I do not get it into a URL...

Meanwhile the answer is a guarded YES.

Provided:

A can resolve all DNS names in the protected network to addresses in that
network.

A 'knows' that it MUST set up an IPsec tunnel through R for those addresses.

Hosts on the protected network will route packets destine to A via R.

This can be done with one tunnel between A and R or a tunnel per host on
the protected network (I perfer the latter).

It works as follows:

A does a lookup on host.foo.com and gets a valid A record.  A policy on A
says, "to this address (range) you must establish an IPsec tunnel to R and
push the packets through it."

A establishes a tunnel to R and (source-destination of A and R) and sends
packets through the tunnel with source-destination of A and host.  R has no
trouble delivering the un-tunneled packets to the host.

The host responds back to A, and these packets arrive at R.  R observes
that the destination is A, and it has an SA to A, so it stuffs the packet
within the tunnel.

Done.

Now one way to automate the policy is with my proposed TX record.  Given
the following DNS entries:

host.foo.com		IN	A	209.69.80.34
*.foo.com		IN	TX	r.foo.com
r.foo.com		IN	A	209.69.80.33

The lookup on host.foo.com returns both the A and the TX record (we hope!).
 The TX record results in a second lookup for r.foo.com, and the rest
follows.  Note that DNSSEC MUST be used to protect these records....


Does this work for you?




Robert Moskowitz
Chrysler Corporation
(810) 758-8212


Follow-Ups: References: