Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)

["Luis A. Sanchez" <lsanchez@bbn.com>]

> 
> Again, we have the 3 situations I described in an earlier email, and I
> think the only problematic situation is when an end-user behind a
> firewall wants to establish (or permit) a secured session *through* the
> firewall. Some administrators simply refuse, saying "I can't see what's
> in the encrypted traffic, and that's unacceptable". I see no solution in
> this case, since they do not trust their internal systems/users. Tough
> situation. 
> 

Scott,

	there are solutions, although not yet _completely_
implemented, to the problem of security gateways tunneling encrypted
traffic to an end user. For example, assume that a security gateway
obtain securely the policy and SPI corresponding to the tunnel
traffic. Given this information, the security gateway can
"dynamically" add a new SPD entry indicating that traffic from src XX
to dst YY with prot 50 and SPI: ZZZZ is allowed. Now, proper inbound
processing will be possible since these fields (src, dst, prot, and
SPI) are in the clear and the SPI->policy relationship existed in the
SPD of the security gateway apriori. A piece of this solution was
presented by Charlie Lynn on behalf of Kai Martius during the IPsec
Policy BOF in MN. Perhaps we didn't have enough coffee or the meeting
was plain old boring (or both;-).

Luis

---

Follow-Ups:

• Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• From: "Scott G. Kelly" <skelly@redcreek.com>

References:

• Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• From: "Scott G. Kelly" <sgkelly@ix.netcom.com>

---

• Prev by Date: Re: INITIAL-CONTACT issues
• Next by Date: RE: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• Prev by thread: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• Next by thread: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• Index(es):
  • Main
  • Thread