Re: ipsec vs. firewalls

[Gabriel Montenegro <gab@Eng.Sun.Com>]

> At 08:12 PM 5/6/98 -0700, Steve Bellovin wrote:
> 
> >I came up with a disturbing conflict between ubiquitous IPSEC and
> >common firewall policies.  I'm not certain how to resolve it,
> >either.
> >
> >A common firewall policy permits most outgoing calls.  (The
> >requirement to authenticate such calls, say via AH from the inside
> >host to the firewall, wouldn't affect what comes next.)  Suppose,
> >though, that the inside host wants to use ESP for end-to-end
> >encryption to the destination.  How will the firewall inspect the
> >return packet?
> 
> Why not just have included a 'return' SPI in the header?

That's essentially what I propose in:

  ftp://ftp.ietf.org/internet-drafts/draft-montenegro-aatn-nar-00.txt

The idea is that your inside host engages in an authentication
and negotiation phase with the gateway/firewall/nat (whatever
you want to call it), after which the latter will know that
a given SPI on inbound packets is bound to the inside host.
This allows it to (a) accept the packet, and (b) deliver it to
the appropriate inside host. The authentication and negotiation
phase between the inside host and the firewall is socks-based,
so traditional socks-based authentication mechanisms can be reused.
The firewall can impose its policy at the negotiation phase,
or alternatively before (a), above.

-gabriel

---

References:

• Re: ipsec vs. firewalls
• From: Joe Tardo <jtardo@freegate.com>

---

• Prev by Date: Re: ipsec vs. firewalls
• Next by Date: [Q] Inbound processing in SG for end-to-end IPSec
• Prev by thread: Re: ipsec vs. firewalls
• Next by thread: Re: ipsec vs. firewalls
• Index(es):
  • Main
  • Thread