[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec in tunnel mode and dynamic routing
- To: Stephen Kent <kent@bbn.com>
- Subject: Re: ipsec in tunnel mode and dynamic routing
- From: Joe Touch <touch@ISI.EDU>
- Date: Fri, 30 Nov 2001 22:27:00 -0800
- CC: ipsec@lists.tislabs.com
- References: <20011119193857.6C4687B55@berkshire.research.att.com> <3BF987FB.7070908@isi.edu> <p05010409b82d796af8f9@[128.89.88.34]> <3C07CF58.4070802@isi.edu> <p05010412b82db0ccfc4c@[128.89.88.34]> <3C080214.8040603@isi.edu> <p05010414b82dc5e8f1e4@[128.89.88.34]>
- Sender: owner-ipsec@lists.tislabs.com
- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011019 Netscape6/6.2
Stephen Kent wrote:
> At 2:03 PM -0800 11/30/01, Joe Touch wrote:
>
>> Stephen Kent wrote:
>>
>>>
>>> 2401 requires that the SA binding be maintained only within the IPsec
>>> implementation. I understood your comments to suggest something else,
>>> e.g., a separate firewall module not part of IPsec. If I
>>> misunderstood, I apologize.
>>
>>
>>
>> We want the SA is kept outside the IPsec, so that packets that pass
>> through other modules in the meantime will retain their SA, e.g., Sec
>> 8.4.
>>
>> Joe
>
>
> Joe,
>
> Your sentence is not well formed, but I suspect we do have a serious
> disagreement here.
Delete the /is/. Sorry about that :-)
Yes, it appears we do disagree - let's see where the thread goes, though.
> An SA is an IPsec concept and thus it exists only within an IPsec
> module. IPsec has never been just an encryption protocol, although some
> have suggested otherwise. Encryption, by itself, does not provide
> protection against the major forms of attack that most Internet users
> experience. Rather, access control is the security service that is the
> focus of most security mechanisms that we employ, if one remembers that
> the primary motivation for authentication (user or otherwise) is as an
> input to an access control decision.
>
> Since the authentication of the other IPsec peer is an IPsec function,
> it makes sense to retain that authentication info and use it to filter
> traffic within IPsec, i.e., to perform identity-based access control
> enforcement there.
In that case, what we have is a failure of firewall code (ipfw, e.g.)
and tunnel mechanisms (gifconfig, e.g.). If that code is "inside" the
IPsec implementation, the SA would be available.
There is more to packet processing than just encryption and
authentication, _however_ that doesn't mean that the configuration
interface needs to be as integrated as the implementation. If, for
example, all firewall processing and tunneling were _implemented_ inside
IPsec, then the SAs would be properly available.
So, I agree that the implementation should be integrated, but not
necessarily that the configuration should be as tightly integrated.
Joe
Follow-Ups: