[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Proxy IDs and Tunnel mode Question
On Mon, 15 Feb 1999 18:04:17 EST you wrote
>
> I am running a test to ipsec-wit.antd.nist.gov. I am running in
> tunnel mode and I am not getting Proxy IDs sent to me during the Quick
> mode negotiation. It was my understanding that the proxy IDs are
> required in tunnel mode, how else do you know what net you are actually
> tunneling to.
They're not required and if you're the initiator and you didn't send
them then you shouldn't expect them.
> What happens in the case of a host running tunnel mode? Do you just
> assume that if there is no proxy ID's and you are in tunnel mode then
> this a host and not a gateway?
Section 5.5 of RFC2409 says:
"The identities of the SAs negotiated in Quick Mode are implicitly
assumed to be the IP addresses of the ISAKMP peers, without any
implied constraints on the protocol or port numbers allowed, unless
client identifiers are specified in Quick Mode."
So if the encapsulation attribute negoatiated indicates tunnel mode
and there are no additional identities passed then the identities are
those of the ISAKMP peers from phase 1. (The term "client ID" replaced
"proxy ID" because someone-- whose name I forget-- said that proxy was
too confusing, but they both refer to the same thing).
> In that case what is to stop a person
> from pretending that they are a host but really acting as a gateway and
> forwarding all traffic from the tunnel to anywhere?
The packets (both inner and outer headers) would be addressed to the host
so it would have to intentionally misbehave. So if the host is misbehaving
then the answer to your question is: nothing. But such (mis)behavior can be
done by a host with transport mode too. And it can be done with manually
keyed SAs.
Dan.
Follow-Ups:
References: