Re: ISAKMP gateway function

["M.C.Nelson" <netsec@panix.com>]

This question from Michael Giniger touches on one of the things that I
have never understood about the IPSEC security architecture.  It seems
that 68-80% of the attacks for which encryption would provide some
protection are on the local network.  The classic example of course, is
sniffing a password on LAN #1, for a machine on LAN #2, while the machine
on LAN #2 is being accessed by a user on LAN #1. Imagine that you are
operating LAN #2, that your are required to allow access from other LANs,
and that you have know of way of enforcing end-to-end encryption on the
other LANs.  Is there something in the current IPSEC documents that
answers this?


Regards,
Mitch Nelson


On Wed, 26 Nov 1997, Michael Giniger wrote:

> Hi
> 
> I've read through ISAKMPv8 and I was wondering if anyone could answer a
> question for me.
> 
> Does ISAKMP/OAKLEY support the use of a gateway host that negotiates
> IPSEC SAs on behalf of other end systems.  For example gateway host A
> negotiates an ISAKMP SA (phase 1) with host Z.  Then can host A
> negotiate IPSEC SAs on behalf of end systems C, D, and E.  Host A would
> then have to provide C, D, and E with the requisite keying material,
> etc.
> Is this supported by ISAKMP and if so how is this done?
> If not, then does this mean that any end system that wants to have an
> IPSEC SA with another end system must negotiate directly with that end
> system?
> 
> Every end system would then have to store and run a copy of ISAKMP.
> 
> I appreciate any information you can provide
> 
> Sincerely
> Michael Giniger
> 
> 
>

---

Follow-Ups:

• Re: ISAKMP gateway function
• From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

---

• Prev by Date: Security Arch and ICMP.
• Next by Date: Re: ISAKMP gateway function
• Prev by thread: Security Arch and ICMP.
• Next by thread: Re: ISAKMP gateway function
• Index(es):
  • Main
  • Thread