[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Modefg considered harmful
Sorry, you lost me in the sea of acronyms. Could you please expand
PE and SP? Provider Equipment and ...???
more inline..
jeremy.de_clercq@alcatel.be writes:
> Hi Derek, Dirk, all,
>
> jumping in on an earlier comment:
>
> > A client connects to a gateway but doesn't agree on an IP Address.
> > The client then says "ok, I'm 1.2.3.4". The IPsec gateway has no way
> > to know that this client is authorized to use 1.2.3.4 -- it's just
> > trusting the client, which is bad. Think PPVPN! If my company and
> > your company share a VPN node, I could gain access to your vpn this
> > way.
>
> In a scenario where sites are allowed to connect to the PPVPN using an
> IPsec tunnel with the PE (which serves different VPNs), the SP's PE
> would need to be pre-configured with the necessary information to
> authenticate connecting sites as belonging to a specific PPVPN (I don't
> believe it to be related with the customer's private addresses).
This is only one possible scenario. In your scenario you may not care
about ip address policy inside the tunnel, in which case you can leave
the policy as 0/0 <-> 0/0, which is perfectly fine. However, just
because YOUR architecture doesn't need this feature does not imply
that others can live without it.
> Once the (dynamically established IPsec) virtual interface (virtual
> interfaces are really what's needed in the PPVPN context) is mapped to a
Again, this may be fine in a PPVPN world, but the world is not just
PPVPN. I want to set of host-to-gateway road-warrior VPNs, or even
host-to-host protections. I need to be able to dynamically set
policies on what address to expect on any particular SPI, and I want
these policies tied to the IKE ID.
Pehaps your world does not require this level of protection. Then
again, I do not have to answer to your boss. ;)
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com