[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPD issues

To: Markku Savela <msa@burp.tkv.asdf.org>
Subject: Re: SPD issues
From: Tero Kivinen <kivinen@ssh.fi>
Date: Thu, 23 Oct 2003 16:34:31 +0300
Cc: kent@bbn.com, ipsec@lists.tislabs.com
In-Reply-To: <200310221213.h9MCDTwu010141@burp.tkv.asdf.org>
Organization: SSH Communications Security Oy
References: <5.2.0.9.0.20031020142118.020310d8@email><5.2.0.9.0.20031014234014.0214b190@localhost><5.2.0.9.0.20031021001505.02134aa0@localhost><3F956643.8030701@isi.edu><p06002014bbbb176bfbe9@[128.89.89.40]><3F956A72.5090603@isi.edu><p06002016bbbb1d976e2d@[128.89.89.40]><16278.16813.152210.575490@ryijy.hel.fi.ssh.com><200310221213.h9MCDTwu010141@burp.tkv.asdf.org>
Sender: owner-ipsec@lists.tislabs.com

Markku Savela writes:
> For me, it is the next hop destination. Note, however that if SG is
> also a router, there will be two cases for incoming packet with
> routing header:
> a) ip dst = routers own address => process routing header, IPSEC will
> apply to next hop. (which may be the router itself again). 
> b) ip dst != routers own address, routing header is NOT processed,
> next hop is searched based on the ip dst address. Again, IPSEC apply
> to next hop.
> This is as it should be. Do not mess with it!

That interpretation is fine as long as there is nothing that looks
like firewall there. In the IPsec there are drop rules so it have a
minimal firewall inside of the IPsec implementation. Using the routing
header allows users to bypass the restrictions created by the
adminstrator.

I.e Adminstrator defines policy of the SGW in the remote office:

	Host - SGW - Internet - SGW ----+--- internal net
				        |
					+--- smtp server
					|
					+--- www-proxy
					|
					+--- news server

	1) Any traffic to www-proxy is allowed (bypass)
	2) Any traffic to smtp server is protected by IPsec
	3) Drop all other traffic.

Now if users want to use some other services, like news server they
can send the packet to the www-proxy with routing header forwarding
the traffic to the news server, and that will go through even when we
have the rule 3, that says that traffic should be dropped.

They can also use the www-proxy to send traffic to the smtp-server,
which will now go through the internet in clear instead of using IPsec
protection as specified in rule 2. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

Follow-Ups:
- IPv6 RH (was Re: SPD issues)
  - From: Eric Vyncke <evyncke@cisco.com>

References:
- RE: SPD issues
  - From: Mark Duffy <mduffy@quarrytech.com>
- Re: SPD issues
  - From: Mark Duffy <mduffy@quarrytech.com>
- Re: SPD issues
  - From: Mark Duffy <mduffy@quarrytech.com>
- Re: SPD issues
  - From: Joe Touch <touch@ISI.EDU>
- Re: SPD issues
  - From: Stephen Kent <kent@bbn.com>
- Re: SPD issues
  - From: Joe Touch <touch@ISI.EDU>
- Re: SPD issues
  - From: Stephen Kent <kent@bbn.com>
- Re: SPD issues
  - From: Tero Kivinen <kivinen@ssh.fi>
- Re: SPD issues
  - From: Markku Savela <msa@burp.tkv.asdf.org>

Prev by Date: Re: EAP requestor for Initiator
Next by Date: microsoft's patent
Prev by thread: Re: SPD issues
Next by thread: IPv6 RH (was Re: SPD issues)
Index(es):
- Date
- Thread