Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)

["Scott G. Kelly" <skelly@redcreek.com>]

Hi Luis,

"Luis A. Sanchez" wrote:
> 
> Scott,
> 
>         there are solutions, although not yet _completely_
> implemented, to the problem of security gateways tunneling encrypted
> traffic to an end user. For example, assume that a security gateway
> obtain securely the policy and SPI corresponding to the tunnel
> traffic. Given this information, the security gateway can
> "dynamically" add a new SPD entry indicating that traffic from src XX
> to dst YY with prot 50 and SPI: ZZZZ is allowed. Now, proper inbound
> processing will be possible since these fields (src, dst, prot, and
> SPI) are in the clear and the SPI->policy relationship existed in the
> SPD of the security gateway apriori. A piece of this solution was
> presented by Charlie Lynn on behalf of Kai Martius during the IPsec
> Policy BOF in MN. Perhaps we didn't have enough coffee or the meeting
> was plain old boring (or both;-).

I caught Charlie's presentation, and I agree that this should go a long
way toward resolving the problem when the administrator simply wants to
have a mechanism for "safely" passing the traffic through. I was
referring, though, to another situation, that being the one in which the
administrator wants to know what's *inside* the encrypted payload, and
therefore will not permit such traffic to traverse the firewall.

Scott

---

References:

• Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• From: "Luis A. Sanchez" <lsanchez@bbn.com>

---

• Prev by Date: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• Next by Date: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• Prev by thread: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• Next by thread: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• Index(es):
  • Main
  • Thread