[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec in tunnel mode and dynamic routing

To: Stephen Kent <kent@bbn.com>
Subject: Re: ipsec in tunnel mode and dynamic routing
From: Joe Touch <touch@ISI.EDU>
Date: Fri, 30 Nov 2001 10:26:32 -0800
CC: "Steven M. Bellovin" <smb@research.att.com>, Lars Eggert <larse@ISI.EDU>, Ricky Charlet <rcharlet@redcreek.com>, Giaretta Gerardo <Gerardo.Giaretta@TILAB.COM>, ipsec@lists.tislabs.com, Derek Atkins <warlord@mit.edu>, xbone@ISI.EDU
References: <20011119193857.6C4687B55@berkshire.research.att.com> <3BF987FB.7070908@isi.edu> <p05010409b82d796af8f9@[128.89.88.34]>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2



Stephen Kent wrote:

> At 2:30 PM -0800 11/19/01, Joe Touch wrote:
> 
>> Steven M. Bellovin wrote:
>>
>> While I'm not certain I understand what problem you're trying to solve 
>> that isn't already solved by tunnel mode, there are some weaknesses in 
>> this scheme as you've outlined it here.  First, unless you have 
>> port-specific routing, you can't implement the full glory of IPsec 
>> SPDs (I'm perfectly willing to listen if you want to say that that's a 
>> feature, not a bug).
>>
>> FWIW - this is yet another place where I'd prefer to let firewall 
>> rules do their job, and IPsec to its. So yes, since I believe this can 
>> already be done with existing mechanisms, I don't care whether it 
>> defeats IPsec's ability to integrate it. (at least at first look 
>> that's how it appears)
> 
> 
> Joe,
> 
> As I have said on many occasions in the past, if one uses a separate 
> firewall module/device to do the filtering, after receipt of an IPsec 
> packet, security suffers, because one no longer has the SA info to 
> verify the (IPsec) source of the packet. I'm not saying that your IP 
> encapsulation approach can't preserve this functionality, but I am 
> saying that it is an essential part of IPsec and must be preserved in 
> any future version.


Steve,

I thought we went over this already as well- once a packet is decrypted, 
the SA should be carried with the packet for further checks. 2401 
already mentions this as a should; we'd certainly prefer a must.

Joe

Follow-Ups:

Re: ipsec in tunnel mode and dynamic routing

From: Stephen Kent <kent@bbn.com>

References:

Re: ipsec in tunnel mode and dynamic routing

From: "Steven M. Bellovin" <smb@research.att.com>

Re: ipsec in tunnel mode and dynamic routing

From: Joe Touch <touch@ISI.EDU>

Re: ipsec in tunnel mode and dynamic routing

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: On shared keys (was RE: SOI: identity protection and DOS)
Next by Date: RE: On shared keys (was RE: SOI: identity protection and DOS)
Prev by thread: Re: ipsec in tunnel mode and dynamic routing
Next by thread: Re: ipsec in tunnel mode and dynamic routing
Index(es):
- Main
- Thread