[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ISAKMP gateway function
This question from Michael Giniger touches on one of the things that I
have never understood about the IPSEC security architecture. It seems
that 68-80% of the attacks for which encryption would provide some
protection are on the local network. The classic example of course, is
sniffing a password on LAN #1, for a machine on LAN #2, while the machine
on LAN #2 is being accessed by a user on LAN #1. Imagine that you are
operating LAN #2, that your are required to allow access from other LANs,
and that you have know of way of enforcing end-to-end encryption on the
other LANs. Is there something in the current IPSEC documents that
answers this?
Regards,
Mitch Nelson
On Wed, 26 Nov 1997, Michael Giniger wrote:
> Hi
>
> I've read through ISAKMPv8 and I was wondering if anyone could answer a
> question for me.
>
> Does ISAKMP/OAKLEY support the use of a gateway host that negotiates
> IPSEC SAs on behalf of other end systems. For example gateway host A
> negotiates an ISAKMP SA (phase 1) with host Z. Then can host A
> negotiate IPSEC SAs on behalf of end systems C, D, and E. Host A would
> then have to provide C, D, and E with the requisite keying material,
> etc.
> Is this supported by ISAKMP and if so how is this done?
> If not, then does this mean that any end system that wants to have an
> IPSEC SA with another end system must negotiate directly with that end
> system?
>
> Every end system would then have to store and run a copy of ISAKMP.
>
> I appreciate any information you can provide
>
> Sincerely
> Michael Giniger
>
>
>
Follow-Ups: