Re: ipsec in tunnel mode and dynamic routing

[Derek Atkins <warlord@mit.edu>]

"Steven M. Bellovin" <smb@research.att.com> writes:

> It's not source address verification I'm concerned about, it's 
> connection hijacking and DOSing.

If you're going to route on top of IPsec (i.e. use IPsec tunnels as
links to be routed across) then you don't get any additional
protection anyways, because you truly are not limiting the packets
traversing your network.  Aren't dynamic routing and access-control
checks mutually exclusive in the "core"?  How would a core router know
whether there is a real path for a packet through a peer?  This seems
to boil down to secure routing paths, which would seem out of scope
for IPsec, no?

> 		--Steve Bellovin, http://www.research.att.com/~smb
> 		Full text of "Firewalls" book now at http://www.wilyhacker.com

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available

---

Follow-Ups:

• Re: ipsec in tunnel mode and dynamic routing
• From: Henry Spencer <henry@spsystems.net>
• Re: ipsec in tunnel mode and dynamic routing
• From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:

• Re: ipsec in tunnel mode and dynamic routing
• From: "Steven M. Bellovin" <smb@research.att.com>

---

• Prev by Date: IKEv2 (son-of-ike) draft
• Next by Date: Re: SOI: preshared
• Prev by thread: Re: ipsec in tunnel mode and dynamic routing
• Next by thread: Re: ipsec in tunnel mode and dynamic routing
• Index(es):
  • Main
  • Thread