[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Network Management with IP Sec
> The way I read the IP Sec RFC, the original packet will be encapsulated, a
> checksum is calculated, and then all information in the original packet is
> encrypted (or something along those line -- that's not the important part).
> If this is the case, I loose visibility into the original packet and
> therefore cannot determine the port it was using (the important part). I
> haven't read anything in the description of the headers that will translate
> to "application".
That's correct. this information is intentionally obscured because in
many (most) cases, the networks in between the endpoints have no need
to know..
> I've asked a few network managment vendors how they will account for this
> protocol but no one had a good answer.
I can think of several..
1) Do a "why do we *really* want this" analysis on the what data is
being collected now..
- how does knowing what the applications are help you run your network?
- can you collect the information you need purely from statistics on
packet sizes and the shapes of varous flows?
I'm willing to bet that, in the absence of extra padding and "cover
traffic", with a little effort you can discriminate between different
applications based purely on packet direction, size, and timing...
2) within an enterprise, do monitoring in hosts or SG's after
decryption or before encryption, and transmit appropriately condensed
summaries (secured by ipsec :-) ) to a properly authorized network
management station. The administrator of the host gets to control
whether such monitoring happens and who gets to do how much of it; the
administrator of the net gets to control whether hosts which refuse to
play the game get to connect to the network..
- Bill