Re: ipsec in tunnel mode and dynamic routing

[Stephen Kent <kent@bbn.com>]

At 2:30 PM -0800 11/19/01, Joe Touch wrote:
>Steven M. Bellovin wrote:
>
>While I'm not certain I understand what problem you're trying to 
>solve that isn't already solved by tunnel mode, there are some 
>weaknesses in this scheme as you've outlined it here.  First, unless 
>you have port-specific routing, you can't implement the full glory 
>of IPsec SPDs (I'm perfectly willing to listen if you want to say 
>that that's a feature, not a bug). 
>
>
>FWIW - this is yet another place where I'd prefer to let firewall 
>rules do their job, and IPsec to its. So yes, since I believe this 
>can already be done with existing mechanisms, I don't care whether 
>it defeats IPsec's ability to integrate it. (at least at first look 
>that's how it appears)

Joe,

As I have said on many occasions in the past, if one uses a separate 
firewall module/device to do the filtering, after receipt of an IPsec 
packet, security suffers, because one no longer has the SA info to 
verify the (IPsec) source of the packet. I'm not saying that your IP 
encapsulation approach can't preserve this functionality, but I am 
saying that it is an essential part of IPsec and must be preserved in 
any future version.

Steve

---

Follow-Ups:

• Re: ipsec in tunnel mode and dynamic routing
• From: Joe Touch <touch@ISI.EDU>

References:

• Re: ipsec in tunnel mode and dynamic routing
• From: "Steven M. Bellovin" <smb@research.att.com>
• Re: ipsec in tunnel mode and dynamic routing
• From: Joe Touch <touch@ISI.EDU>

---

• Prev by Date: Re: On shared keys (was RE: SOI: identity protection and DOS)
• Next by Date: Re: On shared keys (was RE: SOI: identity protection and DOS)
• Prev by thread: Re: ipsec in tunnel mode and dynamic routing
• Next by thread: Re: ipsec in tunnel mode and dynamic routing
• Index(es):
  • Main
  • Thread