[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Q] Inbound processing in SG for end-to-end IPSec

To: ipsec@tis.com
Subject: [Q] Inbound processing in SG for end-to-end IPSec
From: Abraham R Matthews <amatthews@cosinecom.com>
Date: Sat, 09 May 1998 17:03:05 -0700
CC: Abraham Matthews <amatthews@cosinecom.com>
Organization: Cosine Communications
Sender: owner-ipsec@ex.tis.com

Hi all,

The Security Architecture document on page 24, section 4.5, Case
1
discusses end-to-end processing at the two end hosts. Just to
clarify I reproduce the diagram

                 ====================================
                 |                                  |
                H1* ------ (Inter/Intranet) ------ H2*


My question is related to the diagram modified as follows with
a security gateway (SG1) in the path between H1 and H2 ...

                           IP3        IP4
                 |...............SG1................|
                 ====================================
                 |                                  |
                H1* ------ (Inter/Intranet) ------ H2*
                IP1                                IP2

The actual route of the packet is H2->SG1->H1 (and also
H1->SG1->H2).
The IPSec SA is between H1 and H2. The SG1 is not providing any
IPSec services for these pair of hosts.

My questions are:
	1) Is this scenario legal?
	2) What should the SPD in SG1 be?
	3) What is the processing that takes place at SG1?

These are the answers that I have. I am new to IPSec and I am
most
likely wrong. So please bear with me. (For simplicity,I am
assuming
ESP in tunnel mode).

Q1) Yes this is legal

Q2) The SPD is
	SPD rule: S=IP1,D=IP2,P=ESP/AH ==> Bypass
	SPD rule: S=IP2,D=IP1,P=ESP/AH ==> Bypass

Q3) SG1 does the following (?)
H1 sends on interface with address IP1:
	[D=IP2,S=IP1,P=ESP][D=IP2,S=IP1,P=UDP,<data>]
SG1 receives this on interface with address IP3:
	SPD rule: S=IP1,D=IP2,P=ESP/AH ==> Bypass
	SPD rule: S=IP2,D=IP1,P=ESP/AH ==> Bypass
   The document in section 5.2.1, requires a lookup in the SAD
using the Dest,SPI and Protocol for any packet having security
headers.
   The Dest (IP2) is not a local address of the router. What does
it do? It looks it up in the SPD (as there was no entry in the
SAD)?
It should discard it as stated in rule 1 of section 5.2.1?

This confusion leads me to beleive that this is an invalid
configuration! But does this mean that H2 must establish a
tunnel with every security gateway in the path? what happens
if the route changes? ...

An absolutely confused newbie requesting assistance,
Abbie.

begin:          vcard
fn:             Abraham Matthews
n:              Matthews;Abraham
org:            CoSine Communications
adr:            Suite 200;;1070 Sixth Avenue;Belmont;CA;94002;USA
email;internet: amatthews@cosinecom.com
title:          Software Architect
tel;work:       650-637-4725
tel;fax:        650-637-4778
x-mozilla-cpt:  ;0
x-mozilla-html: TRUE
version:        2.1
end:            vcard

Prev by Date: Re: ipsec vs. firewalls
Next by Date: Re: ipsec vs. firewalls
Prev by thread: Re: certificate key usage in IKE
Next by thread: Latest AH/ESP/Arch drafts and changes
Index(es):
- Main
- Thread