[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ESP and AH used in tunnel mode by a Security Gateway



Stephen Kent <kent@bbn.com> writes:

> The Arch Doc states that the wildcard value in the SAD is applicable to
> host implemnetations and reiterates that gateways must use tunnel mode.
> (See section 4.4.3, pages 24-25, latest I-D.) Thus, the discussion of this
> wildcard feature does not apply to the security gateway SA mode discussion
> you're having here.

Unfortunately, many gateways will be acting both as a SG and as a Host
implementation (IPsec protection for configuration sessions or L2TP
tunnels comes to mind).  The wildcard characteristic becomes
increasingly useful for the SG in the case where we might be
protecting a second tunneling protocol, as well as using straigt IPsec
in tunnel mode.  For example:

		      H1-----SG1=====SG2-----H2

If H1 has the option of connecting to SG1 as either an IP client or a
PPP client, SG1 might be configured to transfer that traffic either in
an IPsec tunnel, or in an L2TP tunnel (which in this case would be
protected by transport mode IPsec).  In order to reduce the complexity
of this configuration, it would be nice to allow the same SA's to
protect all traffic, whether being used in Tunnel Mode or in Transport
Mode.

I think that this provides a valid case for wanting the "Security
Gateway" (or perhaps some extension of this concept) for using an SA
in a wildcard fashion much as a Host implementation might.  The
question then begins to involve the question of how we might represent
that in terms of SAD notation and how we would negotiate it with
ISAKMP.


ben


References: