[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: minor inconsistency in arch doc (maybe)

To: ipsec@tis.com
Subject: Re: minor inconsistency in arch doc (maybe)
From: "Michael C. Richardson" <mcr@sandelman.ottawa.on.ca>
Date: Sat, 07 Nov 1998 12:47:44 -0500
In-Reply-To: Your message of "Fri, 06 Nov 1998 15:31:26 PST." <364386CE.FDA818A@redcreek.com>
Sender: owner-ipsec@ex.tis.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Scott" == Scott G Kelly <skelly@redcreek.com> writes:
    Scott> Steve,

    Scott> I guess I didn't really make myself clear - let me try
    Scott> again. First, here's a simple schematic:

    Scott> H1-----SGW1-------SGW2----H2
	  net1                      net2

    Scott> In SGW1, I want to apply ESP tunnel mode to IP datagrams from H1
    Scott> to H2.  Note that there may be other hosts on H1's net, and also

  Okay. Is there some policy for the other nodes at net1/net2? Is this 
policy on SG1, or on H1?

sourceIP      destIP     protocol    ports     SA parms
====================================================================
 H1's IP      H2's IP      *          *        ESP-tunnel,3DES,SHA1
 SGW1's IP    SGW2's IP    ESP        --       AH-transport,SHA1

  Depending on whether you apply your policy recursively or not, this
may or may not achieve double authentication. For simplicity in
implementation, I would have have my GUI do the recursive application ahead
of time and instantiate something more specific.
  Your policy may have unintended affects on packets that weren't part
of the H1/H2 stream. (or it may have an effect you want)

sourceIP      destIP     protocol    ports     SA parms
====================================================================
 H1's IP      H2's IP      ESP        *        AH-transport,SHA1

    Scott> Note the use of ESP in the protocol field. My question: does this
    Scott> violate the design intent of the architecture, or is the language
    Scott> I quoted in my earlier post a bit misleading?

  This tells me that H1 and H2 will establish an SA with ESP. SG1, upon
seeing such packets, will add an AH to it. This is different from what
you wrote above, inner tunnel in the second case will terminate at H1/H2
instead of at SG1/SG2.

   :!mcr!:            |  Network and security consulting/contract programming
   Michael Richardson |         Firewalls, TCP/IP and Unix administration
 Personal: http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html
 Corporate: http://www.sandelman.ottawa.on.ca/SSW/
	ON HUMILITY: To err is human, to moo bovine.





-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBNkSHv9iXVu0RiA21AQH03wL8Dx5gHpSNcFhJIQNeMsgKL7jDX4/D5pEx
pOdLISw3gYyf5uYEeRQ4ltH0dY0FjnzFN7rWGDN071cTqBCyQCqmdEbI7pMtmrjs
T3Xe3VaztCeKqjIsSCI+VH7OnB24YVgH
=24U8
-----END PGP SIGNATURE-----

References:

Re: minor inconsistency in arch doc (maybe)

From: "Scott G. Kelly" <skelly@redcreek.com>

Prev by Date: Re: IBM VPN Bakeoff Issues
Next by Date: Re: IBM VPN Bakeoff Issues
Prev by thread: Re: minor inconsistency in arch doc (maybe)
Next by thread: Re: minor inconsistency in arch doc (maybe)
Index(es):
- Main
- Thread