[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: minor inconsistency in arch doc (maybe)
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Scott" == Scott G Kelly <skelly@redcreek.com> writes:
Scott> Steve,
Scott> I guess I didn't really make myself clear - let me try
Scott> again. First, here's a simple schematic:
Scott> H1-----SGW1-------SGW2----H2
net1 net2
Scott> In SGW1, I want to apply ESP tunnel mode to IP datagrams from H1
Scott> to H2. Note that there may be other hosts on H1's net, and also
Okay. Is there some policy for the other nodes at net1/net2? Is this
policy on SG1, or on H1?
sourceIP destIP protocol ports SA parms
====================================================================
H1's IP H2's IP * * ESP-tunnel,3DES,SHA1
SGW1's IP SGW2's IP ESP -- AH-transport,SHA1
Depending on whether you apply your policy recursively or not, this
may or may not achieve double authentication. For simplicity in
implementation, I would have have my GUI do the recursive application ahead
of time and instantiate something more specific.
Your policy may have unintended affects on packets that weren't part
of the H1/H2 stream. (or it may have an effect you want)
sourceIP destIP protocol ports SA parms
====================================================================
H1's IP H2's IP ESP * AH-transport,SHA1
Scott> Note the use of ESP in the protocol field. My question: does this
Scott> violate the design intent of the architecture, or is the language
Scott> I quoted in my earlier post a bit misleading?
This tells me that H1 and H2 will establish an SA with ESP. SG1, upon
seeing such packets, will add an AH to it. This is different from what
you wrote above, inner tunnel in the second case will terminate at H1/H2
instead of at SG1/SG2.
:!mcr!: | Network and security consulting/contract programming
Michael Richardson | Firewalls, TCP/IP and Unix administration
Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
Corporate: http://www.sandelman.ottawa.on.ca/SSW/
ON HUMILITY: To err is human, to moo bovine.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface
iQB1AwUBNkSHv9iXVu0RiA21AQH03wL8Dx5gHpSNcFhJIQNeMsgKL7jDX4/D5pEx
pOdLISw3gYyf5uYEeRQ4ltH0dY0FjnzFN7rWGDN071cTqBCyQCqmdEbI7pMtmrjs
T3Xe3VaztCeKqjIsSCI+VH7OnB24YVgH
=24U8
-----END PGP SIGNATURE-----
References: