[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
Hi Luis,
"Luis A. Sanchez" wrote:
>
> Scott,
>
> there are solutions, although not yet _completely_
> implemented, to the problem of security gateways tunneling encrypted
> traffic to an end user. For example, assume that a security gateway
> obtain securely the policy and SPI corresponding to the tunnel
> traffic. Given this information, the security gateway can
> "dynamically" add a new SPD entry indicating that traffic from src XX
> to dst YY with prot 50 and SPI: ZZZZ is allowed. Now, proper inbound
> processing will be possible since these fields (src, dst, prot, and
> SPI) are in the clear and the SPI->policy relationship existed in the
> SPD of the security gateway apriori. A piece of this solution was
> presented by Charlie Lynn on behalf of Kai Martius during the IPsec
> Policy BOF in MN. Perhaps we didn't have enough coffee or the meeting
> was plain old boring (or both;-).
I caught Charlie's presentation, and I agree that this should go a long
way toward resolving the problem when the administrator simply wants to
have a mechanism for "safely" passing the traffic through. I was
referring, though, to another situation, that being the one in which the
administrator wants to know what's *inside* the encrypted payload, and
therefore will not permit such traffic to traverse the firewall.
Scott
References: