[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Discovery of tunnel server from ISP POP

To: Stephen Waters <Stephen.Waters@digital.com>, "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Subject: RE: Discovery of tunnel server from ISP POP
From: "Freedman, Jerome" <Jerome.Freedman@GSC.GTE.Com>
Date: Wed, 11 Feb 1998 08:15:25 -0500
Cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

We do security gateway discovery with a home made protocol. Since it is
homemade and ad hoc too, we'd love to discuss the issue in depth.  

Having said that, the mechanism we use is similar to what is decribed
here

>but IPv6 suggests it isn't an issue), then it may also be reasonable to
send
>an ICMP message (an echo) to the desired end node, and watch for an
ICMP
>admin denied message coming back. (One could even just transmit the TCP
SYN,
>but that may be more information than one desires to reveal in the
>clear. Another option is to send an ISAKMP initiator message)

>   >It would come back from security gateway. If one had sent an ISAKMP
>message, that might be a signal to the gateway to initiate an ISAKMP
with
>the end node. Given appropriate certificates presented by the client
and
>gateway to establish that each is authorized to speak for their
respective
>entities (users on the client, networks on gateway), then the gateway
>discovery is done.

I don't believe that the discovery should be tied to ISAKMP - the
document itself is already huge and there are and maybe other key
management exchange protocols.

                                                          Jerry
Freedman,Jr
                                                          GTE Gov't
Systems

Prev by Date: Re: Generic CBC-MAC specification
Next by Date: Re: PKI(Entrust) & IPsec
Prev by thread: Re: Discovery of tunnel server from ISP POP
Next by thread: REMINDER: ISOC 1998 Network and Distributed System Security Symposium
Index(es):
- Main
- Thread