[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Label on the H-b-H (was Re: Internet Draft for explicit security labels in IPv6. )

To: "Kais Belgaied" <kais@domus.ebay.sun.com>, <smb@research.att.com>
Subject: RE: Label on the H-b-H (was Re: Internet Draft for explicit security labels in IPv6. )
From: "Joseph D. Harwood" <jharwood@vesta-corp.com>
Date: Thu, 1 Mar 2001 14:33:50 -0800
Cc: <ipng@sunroof.eng.sun.com>, <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <200103012217.OAA13178@domus.ebay.sun.com>
Sender: owner-ipsec@lists.tislabs.com

Thank you, that clarifies the situation a great deal.

Since the packet must be tunneled between SG1 and SG2 (it's transit traffic,
Tunnel Mode is required), ESP could be used as well as AH and this would
also protect the security label of the inner packet.  Perhaps this option
could be included in the draft.

Best Regards,
Joseph D. Harwood
jharwood@vesta-corp.com
www.vesta-corp.com

> -----Original Message-----
> From: Kais Belgaied [mailto:kais@domus.ebay.sun.com]
> Sent: Thursday, March 01, 2001 2:18 PM
> To: jharwood@vesta-corp.com; smb@research.att.com
> Cc: ipng@sunroof.eng.sun.com; ipsec@lists.tislabs.com
> Subject: Label on the H-b-H (was Re: Internet Draft for explicit
> security labels in IPv6. )
>
>
> For a router to trust a label in the hop-by-hop header, it has to either
> *believe* the packet is authentic (packet coming in through an interface
> connected to a highly secured network), or it is the other end (dst) of an
> AH AS protecting the labeled packet.
>
> Here is an example:
>
>       Secure (trusted)   Unsecure network   Secure network
>          network         (non trustworthy)
>          /------\         //----\\         /------\
>          |      |         |      |         |      |
> Host1  --|      |-- SGW1--|      | --SGW2--|      |--- Host2
>          |      |         |      |         |      |
>          \------/         \\----//         \------/
>
> The security policy requires that data at certain labels follow
> certain paths
> inside the secure networks, and that it is offered a certain
> protection when
> travelling through untrusted clouds. The inside routers in the
> trusted networks
> will use the label for trusted routing. Edge routers SGW1 & SGW2
> MUST use an AH
> SA
>
> If confidentiality is required, An additional AH ESP between
> Host1 and Host2
> can be used.
>
> Kais.
>
> >>
> >>My understanding of the draft was that, one of the goals is for
> intervening
> >>routers to be able to make routing decisions based on the
> contents of the
> >>security label (Section 3.4):
> >>
> >>   A router needs to trust the authenticity and integrity of a
> >>   packet before making routing decision based on the content of its
> >>   label.
> >>
> >>The proposal is to permit security labels in Hop-By-Hop
> Extension Headers,
> >>which (if I remember correctly) are only protected by AH.
> >>
> >>This would seem to require AH.
> >
> >But intermediate routers don't have the keys to verify the AH header.
> >
> >		--Steve Bellovin, http://www.research.att.com/~smb
> >
> >
>
>

References:

Label on the H-b-H (was Re: Internet Draft for explicit security labels in IPv6. )

From: Kais Belgaied <kais@domus.ebay.sun.com>

Prev by Date: Label on the H-b-H (was Re: Internet Draft for explicit security labels in IPv6. )
Next by Date: Re: Internet Draft for explicit security labels in IPv6.
Prev by thread: Label on the H-b-H (was Re: Internet Draft for explicit security labels in IPv6. )
Next by thread: Re: Label on the H-b-H (was Re: Internet Draft for explicitsecurity labels in IPv6. )
Index(es):
- Main
- Thread