[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remote access from ubiquitous IPSec hosts

To: mcr@sandelman.ottawa.on.ca
Subject: Re: Remote access from ubiquitous IPSec hosts
From: Markku Savela <msa@anise.tte.vtt.fi>
Date: Thu, 30 Jul 1998 12:37:11 +0300 (EET DST)
CC: vgupta@nobel.Eng.Sun.COM, ipsec@tis.com
In-reply-to: <199807292017.QAA00542@istari.sandelman.ottawa.on.ca> (mcr@sandelman.ottawa.on.ca)
Reply-to: msa@hemuli.tte.vtt.fi (Markku Savela)
Sender: owner-ipsec@ex.tis.com

My vision of the future is

	[perhaps this drivel is not appropriate for the IPSEC mailing
	list, just flame me privately and I will restrict my future
	posts to strictly technical issues :-]

Home Base

  Home base is a system with reasonably fixed and permanent connection
  to the internet. With "reasonable" I mean that it can receive e-mail
  by SMTP with known address. It may be a machine at home or at the
  office or even a mobile host.

  Every person will have a home base and permanent internet address,
  just map standard phone number into IPv6 address directly. Once the
  telcos move fully into IP phone world, every one who has a phone,
  also has a potential for having fixed IP address. The phone unit is
  replaced with Home Base.

  Home base should have IPSEC enabled.

Mobile host

  Mobile host is a portable system you carry with you while travelling
  (it could be a laptop, pda or mobile phone). It will have TCP/IP
  stack and IPSEC.

When one needs to access the home base (for example for a mail check),
one could enter some "internet cafe", a lounge at the airport or
whatever place that is offering fast internet access. Such places
could offer a selection of interfaces (IR, ethernet, Bluetooth, etc)
to hook up your portable to the local net. The local net should accept
all IP addresses (and NAT, so that you don't need to reconfigure), or
the hookup defines dynamic IP. In any case, the HOME BAsE will see
pretty random IP source address. So, the SA must be negotiated based
on some ID that the Mobile Host supplies.

I wouldn't trust security of any host on such places. The IPSEC
must be in your own portable unit, which you trust.

Of course, if your data speed requirement is not too high, you can
always connect directly from mobile to your home base using PPP over
GSM data or whatever similar method.

In conclusion, I believe address based policy decisions will have less
significance as the time goes (other than saying that all addresses
need IPSEC, perhaps excluding incoming mail and http, if you run your
own web server on your home base).

And finally, you don't need any firewalls to protect your homebase,
ipsec does it all for you :-)

-- 
Markku Savela (msa@hemuli.tte.vtt.fi), Technical Research Centre of Finland
Multimedia Systems, P.O.Box 1203,FIN-02044 VTT,http://www.vtt.fi/tte/staff/msa/

References:

Re: Remote access from ubiquitous IPSec hosts

From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>

Prev by Date: ISAKMP + IKE, questions.
Next by Date: ISAKMP + IKE, questions.
Next by thread: IPSec client for OS/2 ?
Index(es):
- Main
- Thread