[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: routing and outbound.



Hi Lars Eggert.
No. I am trying to  design an IPSEC armed router. A router acts as a
security gateway so it usese tunnel mode not tronsport.
Now my question is if there is a router that has some interfaces and these
interfaces may be IPSEC armed or not, now which is the correct
configuration, case 1 , 2 or 3? which one? or there may be other way ?

and  what do you mean by hop-by-hop IPSEC ?

----- Original Message -----
From: "Lars Eggert" <larse@ISI.EDU>
To: "Mahdavi" <mahdavi110@yahoo.com>; "ipsec" <ipsec@lists.tislabs.com>
Sent: Sunday, November 25, 2001 8:54 PM
Subject: RE: routing and outbound.


> Mahdavi,
>
> are you doing hop-by-hop IPSec, i.e. construct a virtual topology out of
> IPsec tunnels? If so, we have some information on this in
> draft-touch-ipsec-vpn-01.txt (expired, -02 has been submitted, but not yet
> announced).
>
> If you aren't (i.e. you're simply routing IPsec packets), nothing happens
> at routers: IPsec is end-to-end.
>
> Or maybe I didn't understand your question correctly?
>
> Lars
> --
> Lars Eggert <larse@isi.edu>               Information Sciences Institute
> http://www.isi.edu/larse/              University of Southern California
>
>
> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com
> [mailto:owner-ipsec@lists.tislabs.com]On Behalf Of Mahdavi
> Sent: Sunday, November 25, 2001 5:56 AM
> To: ipsec
> Subject: routing and outbound.
>
>
> Hi.
>
> Imagine an IPSEC armed router. As any knows routers have interfaces. Each
> interface may be IPSEC enabled or not( Am I right !!?? ).
>
> Upon arrival of any packet to router which serries of task must be done on
> the acket?
>
> 1- Inbound , Outbound and then Routing.
> 2- Inbound , Routing and then Outbound.
> 3- Routing , inbound and then Outbound.
>
> each of these configuration has weaknesses.
>
> a)-in case 1 there is high probability danger of denial of service for
> protected subnetwork when at least one of routers interfaces is IPSEC
> unarmed.
> b)-case 2 has logical flaw. After Outbound process new packet will be made
> with new IP header. so this needs routing again.
> c)- case 3 means that IPSEC Process must be done after Routing. this has
> spoofing danger.
>
> now what configuration is correct or may be I have a basic
> missundrestanding.
>
> best regars
>
> mahdavi
>



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com



References: