[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec in tunnel mode and dynamic routing

To: Derek Atkins <warlord@mit.edu>
Subject: Re: ipsec in tunnel mode and dynamic routing
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Mon, 19 Nov 2001 21:02:44 -0500
cc: ipsec@lists.tislabs.com, xbone@ISI.EDU
In-reply-to: Your message of "19 Nov 2001 14:59:27 EST." <sjm1yiujzvk.fsf@benjamin.ihtfp.org>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----

>>>>> "Derek" == Derek Atkins <warlord@mit.edu> writes:
    Derek> "Steven M. Bellovin" <smb@research.att.com> writes:

    >> It's not source address verification I'm concerned about, it's 
    >> connection hijacking and DOSing.

    Derek> If you're going to route on top of IPsec (i.e. use IPsec tunnels as
    Derek> links to be routed across) then you don't get any additional
    Derek> protection anyways, because you truly are not limiting the packets
    Derek> traversing your network.  Aren't dynamic routing and access-control
    Derek> checks mutually exclusive in the "core"?  How would a core router know
    Derek> whether there is a real path for a packet through a peer?  This seems
    Derek> to boil down to secure routing paths, which would seem out of scope
    Derek> for IPsec, no?

  Well, it isn't out of scope. 
  RFC2401 essentially defines a standard firewall mechanism. Included in
this is a form of ingress filtering.

  If these are core routers with no default routes, it may well be that they
can not identify a single origin for packets with a given source
address. That doesn't limit them to doing ingress filtering, it just makes it 
a lot weaker (you have to accept from any of several origins) 

  The major challenge for this effort in my opinion is:
      1) getting appropriate link status information.
      2) getting IKE to negotiate these tunnels which have totally screwy
	 (from IKE's point of view) selectors. One defers to the (policy
	 enhanced) routing table. [you pretty much need a seperate routing
	 table for packets with proto=50/51]

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys

iQCVAwUBO/m5woqHRg3pndX9AQF8kgP+PgIZB/TA9uPFsIqXgIXyUtQcrWhyP8TF
HbrneTnbmu1LhBtZxt3Ow5kisI6DayFrTuQdmxqHJkPdQH8nqRAkEcjSp9pUU1/i
T8KqXuOR/2nEXggBbdel4ibvgOD+9F9C61pspYvDQPtZgXWO8w4yV0XMjPyJmkU5
YPFX6aLNd/U=
=7LID
-----END PGP SIGNATURE-----

References:

Re: ipsec in tunnel mode and dynamic routing

From: Derek Atkins <warlord@mit.edu>

Prev by Date: Re: ipsec in tunnel mode and dynamic routing
Next by Date: Re: ipsec in tunnel mode and dynamic routing
Prev by thread: Re: ipsec in tunnel mode and dynamic routing
Next by thread: RE: ipsec in tunnel mode and dynamic routing
Index(es):
- Main
- Thread