Re: AH (without ESP) on a secure gateway

William Allen Simpson <wsimpson@greendragon.com> Tue, 03 December 1996 12:29 UTC

Received: from cnri by ietf.org id aa16879; 3 Dec 96 7:29 EST
Received: from portal.ex.tis.com by CNRI.Reston.VA.US id aa07304; 3 Dec 96 7:29 EST
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id HAA23485 for ipsec-outgoing; Tue, 3 Dec 1996 07:19:55 -0500 (EST)
Date: Mon, 02 Dec 1996 21:40:17 +0000
From: William Allen Simpson <wsimpson@greendragon.com>
Message-ID: <5520.wsimpson@greendragon.com>
To: ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

> From: "Whelan, Bill" <bwhelan@nei.com>
> >But this potential conflict is not necessarily fatal, is it?  Assuming
> >cooperating firewalls, the conflict can exist and be irrelevant.  The
> >firewalls unwrap outer headers according to their notions of the SA
> >mappings, and the end hosts unwrap inner headers according to their
> >notions.  Conflicts are invisible as long as the firewalls are in
> >place.
>
> Outer headers and inner headers?  Per RFC1826, the Authentication Header
> sits between the IP header and the upper layer protocol.  It appears the
> same whether it's inserted by the host system or the gateway.
>
This makes no sense to me at all.  Since the SPI is relative to the
Destination, and supposedly protects the IP Header, I do not understand
this assumption that AH or ESP could or should ever be inserted/removed
by a router/firewall.

That is, only "tunneling" should be used for secure communication to or
between firewall/routers, with SPIs that reflect the firewall
Destination, not the host Destination.

Besides, what would you do if there were multiple firewall paths to the
same host?  Or when communicating securely to an "intranet" Destination,
passing no firewalls at all?  The Destination host could be assigning
that same SPI to a different session that travels a different path!

That way lies madness....

And I'm sure that we covered this on this list over 2 years ago.  This
means that the "architecture" document is inadequate....

WSimpson@UMich.edu
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32
BSimpson@MorningStar.com
    Key fingerprint =  2E 07 23 03 C5 62 70 D3  59 B1 4F 5E 1D C2 C1 A2