[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IKEv2 traffic selector subsetting.

To: "'Stephen Kent'" <kent@bbn.com>
Subject: RE: IKEv2 traffic selector subsetting.
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Wed, 19 Dec 2001 19:07:47 -0500
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <p05010400b845aa5b87b3@[128.33.238.56]>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

> I don't know what the phrase "topology-aware IPsec layer" means, so
> I'm not sure what you are proposing.

I assume that something in the IPsec layer (i.e. IKE) knows enough about the
topology to know which subnets are behind which gateways.


> We have maintained that the SA binding for a packet must be
> maintained to ensure that the firewall-style rule checks are applied
> to packets in the context of the SAs with which the rules are
> associated.


What I am saying is that there are basically 3 different levels at which the
SA binding can be done:

1) Do NO filtering at the SADB and pass the SA context information up to the
firewall ala draft-touch.

2) Do the SA binding at the SADB and do the firewall filtering at the
firewall.

3) Do BOTH the SA binding and firewall filtering at the SADB, which is what
it seems you are proposing.

My claim was that if you ensure that the phase 2 selectors enforce the
IP->identity bindings (i.e. which subnets are behind which gateways & which
roaming clients are at which IPs), then (2) will suffice since your firewall
can be assured that the SA binding of any packet it receives has already
been vetted.

Note that I have no objection to (and actually endorse) an integrated
IPsec-firewall component (if you integrate the two then the above
distinctions are moot). But your objection is always "what if the SADB and
firewall are on different machines?"

It seems to me that 2401 is trying to skirt the issue by integrating the
functionality of a very basic firewall into IPsec (thus *causing* the SADB
and firewall to be on the same machine). But it is an incomplete solution
because you may still need an external firewall. I just prefer a different
solution, in which IPsec cooperates with (or merges with) the firewall
rather than duplicating one part of its functionality.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.

Follow-Ups:

Re: IKEv2 traffic selector subsetting.

From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

RE: IKEv2 traffic selector subsetting.

From: Henry Spencer <henry@spsystems.net>

References:

RE: IKEv2 traffic selector subsetting.

From: Stephen Kent <kent@bbn.com>

Prev by Date: IPSEC with PAT and Rekeying Issues
Next by Date: Re: IKEv2 traffic selector subsetting.
Prev by thread: Re: IKEv2 traffic selector subsetting.
Next by thread: Re: IKEv2 traffic selector subsetting.
Index(es):
- Main
- Thread