[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC tunnels for LAN-to-LAN interop issue

To: dharkins@network-alchemy.com
Subject: Re: IPSEC tunnels for LAN-to-LAN interop issue
From: John Shriver <jas@shiva.com>
Date: Fri, 27 Aug 1999 10:34:00 -0400
CC: Stephen.Waters@cabletron.com, ipsec@lists.tislabs.com
In-reply-to: <199908270019.RAA01760@potassium.network-alchemy.com> (messagefrom Dan Harkins on Thu, 26 Aug 1999 17:19:41 -0700)
Sender: owner-ipsec@lists.tislabs.com

   To: "Waters, Stephen" <Stephen.Waters@cabletron.com>
   cc: ipsec@lists.tislabs.com
   Subject: Re: IPSEC tunnels for LAN-to-LAN interop issue 
   Date: Thu, 26 Aug 1999 17:19:41 -0700
   From: Dan Harkins <dharkins@network-alchemy.com>

     Perhaps RIP is not the right tool for this job. Can't you run BGP between
   the SGWs?

     Dan.

The fundamental challenge is that we have redefined the IP protocol in
adding IPSec to it.  Packets are no longer forwarded based soley on
their IP address.  A security gateway has to forward packets at the
connection level.  This isn't IP, it's more like X.25 (with IKE as the
call setup protocol).

There is no defined IP routing protocol that routes to the connection
level.  Not RIP, not OSPF, not IGRP, not EGP, not GGP, not Dual IS-IS,
not (please no!) BGP4.

So, a "brutally honest" IP Security Gateway can only use static
routes.  (At least if each IPSec tunnel mode "connection" is an
interface.)  Anything else will violate RFC 2401.

We've basically made a certain set of IP routers connection-oriented.

If you want to stick with tunnel mode IPSec, and run real dynamic
routing between a pair of security gateways, what I've figured you do
is aggregate all the tunnel mode SA's between the two SG's into one
"interface" that you present to the IP forwarder.  One of those SA's
has to be a tunnel (or transport?) one that allows the routing
protocol itself to pass between the two SG's.  Then, once it's time to
forward a packet over the "interface", something below the IP
forwarder picks the right SA in the SAD to send it over.  If there is
no SA (or entry in the SPD allowing the creation of the SA), then you
drop the packet.

Also, the user could configure the SPD with a rule of "everything I
learn from OSPF as a type 1 internal route from this peer SG is
allowable in the SPD, using these transforms."

Now, what I think the market will do for Intranet over Internet
LAN-to-LAN connections (due to Windows 2000) is use transport mode
between security gateways, and run L2TP inside that, with IP over PPP
inside L2TP.  This lets them run their favorite IGP over that IP
"interface".  Now they have something just like their leased line, but
it runs over a shared IP network between the sites.  All the SPD says
is that "L2TP is allowed in transport mode to/from these peer SGs".

But, this is only suitable for a security gateway that will only speak
to preconfigured peer security gateways under the same administrative
ownership.  It's not suitable for a security gateway that has an SPD
or policy allowing it to "talk to strangers".  (That's the general
case that nobody has figured out how to practically express policy for
yet, so it's just not happening yet.)

References:

Re: IPSEC tunnels for LAN-to-LAN interop issue

From: Dan Harkins <dharkins@network-alchemy.com>

Prev by Date: IPCOMP Questions
Next by Date: RE: IPSEC tunnels for LAN-to-LAN interop issue
Prev by thread: Re: IPSEC tunnels for LAN-to-LAN interop issue
Next by thread: RE: IPSEC tunnels for LAN-to-LAN interop issue
Index(es):
- Main
- Thread