Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)

[Stephen Kent <kent@po1.bbn.com>]

Scott,

As you observed, there are several issues here. IKE through a firewall is
an issue because use of UDP, vs. TCP, deprives the firewall admin of the
easy means of determining whether the initiator of the session is inside or
outside of the firewall.  Of course, with a simple application proxy, they
can figure this out anyway, but with just packet filtering, and in the
absence of the necessary proxy, ...

With regard to AH and ESP, the concerns are analogous (wrt to initiators
vs. responders), plus there is the problem of not knowing which ports on
the internal machines are being accessed.

The new work on policy with IPsec, which may have a WG soon, can address
these problems, to first order.  The work of some of the folks here at BBN
provides a way for a security admin to interact with a policy module on an
end system behind a firewall, to approve/reject proposed SAs, and thus
gives a basis for managing IKE exchanges.  With direct knowledge of the
specific parameters for each SA being negotiated for a client, a sys
security admin may then be comfortable with allowing IPsec traffic through
a firewall.

Steve

---

References:

• Re: INITIAL-CONTACT issues
• From: Alex Alten <Alten@home.com>
• Re: INITIAL-CONTACT issues
• From: "Scott G. Kelly" <skelly@redcreek.com>
• RE: INITIAL-CONTACT issues
• From: Sankar Ramamoorthi <Sankar@vpnet.com>
• Re: INITIAL-CONTACT issues
• From: Alex Alten <Alten@home.com>
• Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• From: "Scott G. Kelly" <sgkelly@ix.netcom.com>

---

• Prev by Date: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• Next by Date: Implementing a VPN with IPsec
• Prev by thread: Re: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• Next by thread: RE: ipsec through firewalls (was re:INITIAL-CONTACT issues)
• Index(es):
  • Main
  • Thread