[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec in tunnel mode and dynamic routing
At 10:26 AM -0800 11/30/01, Joe Touch wrote:
>Stephen Kent wrote:
>
>>At 2:30 PM -0800 11/19/01, Joe Touch wrote:
>>
>>>Steven M. Bellovin wrote:
>>>
>>>While I'm not certain I understand what problem you're trying to
>>>solve that isn't already solved by tunnel mode, there are some
>>>weaknesses in this scheme as you've outlined it here. First,
>>>unless you have port-specific routing, you can't implement the
>>>full glory of IPsec SPDs (I'm perfectly willing to listen if you
>>>want to say that that's a feature, not a bug).
>>>
>>>FWIW - this is yet another place where I'd prefer to let firewall
>>>rules do their job, and IPsec to its. So yes, since I believe this
>>>can already be done with existing mechanisms, I don't care whether
>>>it defeats IPsec's ability to integrate it. (at least at first
>>>look that's how it appears)
>>
>>
>>Joe,
>>
>>As I have said on many occasions in the past, if one uses a
>>separate firewall module/device to do the filtering, after receipt
>>of an IPsec packet, security suffers, because one no longer has the
>>SA info to verify the (IPsec) source of the packet. I'm not saying
>>that your IP encapsulation approach can't preserve this
>>functionality, but I am saying that it is an essential part of
>>IPsec and must be preserved in any future version.
>
>
>Steve,
>
>I thought we went over this already as well- once a packet is
>decrypted, the SA should be carried with the packet for further
>checks. 2401 already mentions this as a should; we'd certainly
>prefer a must.
>
>Joe
2401 requires that the SA binding be maintained only within the IPsec
implementation. I understood your comments to suggest something else,
e.g., a separate firewall module not part of IPsec. If I
misunderstood, I apologize.
Steve
Follow-Ups:
References: