[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Network Management with IP Sec
John Grillo writes:
> Currently, I manage tools which keep track of application percentages across
> the LAN and WAN based on TCP/UDP port number.
>
> The way I read the IP Sec RFC, the original packet will be encapsulated, a
> checksum is calculated, and then all information in the original packet is
> encrypted (or something along those line -- that's not the important part).
> If this is the case, I loose visibility into the original packet and
> therefore cannot determine the port it was using (the important part). I
> haven't read anything in the description of the headers that will translate
> to "application".
>
> I've asked a few network managment vendors how they will account for this
> protocol but no one had a good answer.
>
> I'm sure this was discussed, is there any information posted?
>
> Thanks,
>
> John D Grillo
Yup yessir, absolutely. It's been discussed ad nauseam. The answer is:
If a packet is to be examined in transit, then it can't be encrypted.
Use authentication only.
On the other hand, if I were a person who wanted to make sure my
addresses and port numbers don't become public knowledge, I would
encrypt my packets. Note (as has been observed many times before) that
the goal of information hiding is to hide _all_ the information,
including hints and clues (such as addresses and port numbers).
One way around this is for an organization to monitor the movement of
packets on the private side of a security gateway. Be sure to impose
some form of restriction on internal systems to prevent them from
encrypting their packets! :-)
--
Leonard Samuelson, Ascend Communications, Inc. 614-760-4024
References: