[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Was Re: multiple payloads via "ID_LIST"

To: yanfali@corp.hp.com
Subject: Re: Was Re: multiple payloads via "ID_LIST"
From: Paul Krumviede <paul@mci.net>
Date: Wed, 30 Sep 1998 22:57:48 -0400
Cc: ipsec@tis.com
Organization: MCI WorldCom
References: <9809302314.AA25137@hpcc103.corp.hp.com>
Reply-to: paul@mci.net
Sender: owner-ipsec@ex.tis.com

Yan-Fa LI wrote:

[some text cut]

> For example, wouldn't it be nice if we could make use of External BGP
> for Encryption Gateways on the "RED"/Local/Trusted Side of a security
> gateway to list all the networks on one side of a VPN and securely share
> that information with the other side of the VPN link and vice versa.  So
> now both gateways have a list of the networks on either side of the VPN,
> which BTW they are also propagating with their respective local network
> clouds.

For the paranoid, this begs the question of authenticating the data
carried within BGP. This has been discussed in some of the routing
areas (e.g. RPS), although in a different context. There is also the
fun question of how much of this type of information one would want
to redistribute.

> And if the encryptor goes down the traffic can take a different path
> rather than black hole the traffic due to the router interaction.
> 
>         Branch Site --- Encrypter --- Internet --- Encrypter --- Corporate
>         Router
> 
>                     EBGP            SOME KIND OF              EBGP
>                                     ROUTER PROTOCOL
> 
> Now I have a lot less configuration to do.  And I've established
> security for a group of networks on either side of the link.

This configuration imples that the "encrypter" can handle the link
layer of the internet connection. For some boxes, and some class of
links, that may not be commonly available (particularly high speed
links).

> Ah you say, well how do we get a link into a useable SPI then since
> we're not using destination/source addressing ?  Well, it turns out
> there's this little used but interesting field called "community" in
> EBGP which could be used as a new selector.  Then perhaps we could
> configure on the encryptor:
> 
>         Peer Gateway IP Address
>         Authentication Required (PreShared/PK)
>         Community
> 
> The Community would then be an index into what Encryption algorithm for
> IPSec and even some basic Source/Dest Address filters and/or TCP/UDP
> ports for the collective range of networks.  BTW, business partners
> could be in this mix, but they could get their own set of SPIs based on
> community string and route propagation and so wouldn't necessarily be
> using the same tunnels.
> 
> So the idea a Meta-ID would be a way of exchanging this information
> between IPSec devices, now we need a standard way of getting this
> information in and out of the IPSec device in the first place and back
> to a router at either end.  Of course if the IPSec device were
> a router, this might already be done ;P
> 
> This idea isn't new, I think someone at cisco first proposed it.
> 
>  ___________________________________________________________________
> | Bio-Routing:               | Electronic Connectivity:             |
> |                            |                                      |
> | Yan-Fa LI                  | Phone:    ( +1 ) - 650 236 3680      |
> | Hewlett-Packard Company    | Fax:      ( +1 ) - 650 236 3632      |
> | Mail Stop: 20CX            |                                      |
> | 3000 Hanover Street,       | Telnet:   236 - 3680                 |
> | Palo Alto, CA 94304        | Email:    yanfali@corp.hp.com        |
> | USA                        |                                      |
> |____________________________|______________________________________|

-paul

Next by Date: Re: VPN Inteoperability Workshop
Next by thread: Re: VPN Inteoperability Workshop
Index(es):
- Main
- Thread