[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: routing and outbound.
Mahdavi wrote:
>
> Hi.
>
> Imagine an IPSEC armed router. As any knows routers have interfaces.
> Each interface may be IPSEC enabled or not( Am I right !!?? ).
>
> Upon arrival of any packet to router which serries of task must be
> done on the acket?
>
> 1- Inbound , Outbound and then Routing.
> 2- Inbound , Routing and then Outbound.
> 3- Routing , inbound and then Outbound.
>
> each of these configuration has weaknesses.
>
> a)-in case 1 there is high probability danger of denial of service for
> protected subnetwork when at least one of routers interfaces is IPSEC
> unarmed.
> b)-case 2 has logical flaw. After Outbound process new packet will be
> made with new IP header. so this needs routing again.
> c)- case 3 means that IPSEC Process must be done after Routing. this
> has spoofing danger.
>
> now what configuration is correct or may be I have a basic
> missundrestanding.
>
> best regars
>
> mahdavi
Howdy,
Try this...
InBound/OutBound, Rounting, InBound/OutBound, Rounting,
InBound/OutBound .... untill you have a packet which may pass an
interface without further IPsec processing.
Of course, such an implementation may turn out to be rather slow in
typical traffic patterns. I'm sure it is possible to read the standards
and not come up with such a pesimistic view of their meaning. And I'm
sure that most vendors do not recurse through policy applications until
a 'pass' rule is met for traffic. But, (IMHO) this turns out not to have
all that much impact on interoperability. Its a behavour contained
entirley within your system and does not impact your peer. So, your are
left to implementers discresion in this area.
--
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." Benjamin Franklin
Ricky Charlet : SonicWall Inc. : usa (510) 497-2103
References: