[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec Complexity
Stephen Kent wrote:
>
> Skip,
>
> I think the problem is much worse than your example suggests. If a
> site has SAs to multiple other sites or multiple dialup users, then
> once the traffic pops out of an SA, the rest of the receiver system
> does not know which SA the traffic came from (assuming modular
The receiver system does in fact know which SA the traffic came from,
albeit indirectly.
The filters that Skip is referring to are applied on a per user basis,
based upon the authenticated PPP user. There is, in turn, a direct
linkage between this PPP user, L2TP, and ultimately the IPsec SA. IPsec
of course ensures that only L2TP data can arrive on that particular SA.
> layering of the pieces of the receiver system). Thus any filtering
> that is applied to the inner header can determine only if ANY
Again, the filtering that is applied on the inner header is applied only
to a single PPP data stream, which arrives over single L2TP session that
is associated with a single IPsec SA.
> legitimate source is allowed to send traffic of a specific form, not
> whether the sender in question was allowed to send the traffic in
> question. Thus any source can spoof traffic that would be acceptable
> if it came from any other source with which the receiver is willing
> to communicate. In the worst case, the scope of this spoofing applies
> to sources irrespective of whether such sources have SAs in place at
> the time the traffic arrives. This is the sort of problem I was
> referring to as a side effect of disassociating access control
> filtering from IPsec.
This is a side effect only if your filters are applied globally to all
data coming from IPsec.
>
> Steve
Follow-Ups:
References: