RE: ISAKMP gateway function

[Kai Martius <kai@imib.med.tu-dresden.de>]

Hi, 

Ted Ts'o wrote:
 
> of the firewall.  IPSEC is designed to work either in the end-host or in
> a security gateway.

Or in both ;-)...

On Wed, 26 Nov 1997, Michael Giniger wrote:
...
> Is this supported by ISAKMP and if so how is this done?

Phase II proxy exchange could handle this, I think. Depending on the interface of the ISAKMP daemon other hosts can request keys from it. However, the problem is that  
- the requested keys will be delivered in clear over the local network (regarding to the statement of Mitch Nelson, that  "68-80% of the attacks for which encryption would provide some protection are on the local network." this isn't very nice...)
- the host requesting the keys must trust the "ISAKMP-host" because it knows the final keys in every case. 

> If not, then does this mean that any end system that wants to have an
> IPSEC SA with another end system must negotiate directly with that end
> system?
> Every end system would then have to store and run a copy of ISAKMP.

Yes, if it doesn't accept the restrictions.

If ISAKMP (and IPSEC) runs on host(s) and gateways(s) this leads to some other wellknown problems, like
- application of security policies on gateways
- eventually no direct communication between end systems possible
- finding responsible gateways

[I've written down some ideas for an "extended key exchange over security gateways" based on ISAKMP/Oakley, where gateways and end systems can apply their security policies. May be, someone is interested in it - simply send a message to me...]

Regards
Kai

---

• Prev by Date: Re: ISAKMP gateway function
• Next by Date: Re: ISAKMP gateway function
• Prev by thread: Re: ISAKMP gateway function
• Next by thread: Re: ISAKMP gateway function
• Index(es):
  • Main
  • Thread