[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec in tunnel mode and dynamic routing
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Derek" == Derek Atkins <warlord@mit.edu> writes:
Derek> "Steven M. Bellovin" <smb@research.att.com> writes:
>> It's not source address verification I'm concerned about, it's
>> connection hijacking and DOSing.
Derek> If you're going to route on top of IPsec (i.e. use IPsec tunnels as
Derek> links to be routed across) then you don't get any additional
Derek> protection anyways, because you truly are not limiting the packets
Derek> traversing your network. Aren't dynamic routing and access-control
Derek> checks mutually exclusive in the "core"? How would a core router know
Derek> whether there is a real path for a packet through a peer? This seems
Derek> to boil down to secure routing paths, which would seem out of scope
Derek> for IPsec, no?
Well, it isn't out of scope.
RFC2401 essentially defines a standard firewall mechanism. Included in
this is a form of ingress filtering.
If these are core routers with no default routes, it may well be that they
can not identify a single origin for packets with a given source
address. That doesn't limit them to doing ingress filtering, it just makes it
a lot weaker (you have to accept from any of several origins)
The major challenge for this effort in my opinion is:
1) getting appropriate link status information.
2) getting IKE to negotiate these tunnels which have totally screwy
(from IKE's point of view) selectors. One defers to the (policy
enhanced) routing table. [you pretty much need a seperate routing
table for packets with proto=50/51]
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Finger me for keys
iQCVAwUBO/m5woqHRg3pndX9AQF8kgP+PgIZB/TA9uPFsIqXgIXyUtQcrWhyP8TF
HbrneTnbmu1LhBtZxt3Ow5kisI6DayFrTuQdmxqHJkPdQH8nqRAkEcjSp9pUU1/i
T8KqXuOR/2nEXggBbdel4ibvgOD+9F9C61pspYvDQPtZgXWO8w4yV0XMjPyJmkU5
YPFX6aLNd/U=
=7LID
-----END PGP SIGNATURE-----
References: