Re: AH (without ESP) on a secure gateway
William Allen Simpson <wsimpson@greendragon.com> Tue, 03 December 1996 12:29 UTC
Received: from cnri by ietf.org id aa16879; 3 Dec 96 7:29 EST
Received: from portal.ex.tis.com by CNRI.Reston.VA.US id aa07304; 3 Dec 96 7:29 EST
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id HAA23485 for ipsec-outgoing; Tue, 3 Dec 1996 07:19:55 -0500 (EST)
Date: Mon, 02 Dec 1996 21:40:17 +0000
From: William Allen Simpson <wsimpson@greendragon.com>
Message-ID: <5520.wsimpson@greendragon.com>
To: ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
> From: "Whelan, Bill" <bwhelan@nei.com> > >But this potential conflict is not necessarily fatal, is it? Assuming > >cooperating firewalls, the conflict can exist and be irrelevant. The > >firewalls unwrap outer headers according to their notions of the SA > >mappings, and the end hosts unwrap inner headers according to their > >notions. Conflicts are invisible as long as the firewalls are in > >place. > > Outer headers and inner headers? Per RFC1826, the Authentication Header > sits between the IP header and the upper layer protocol. It appears the > same whether it's inserted by the host system or the gateway. > This makes no sense to me at all. Since the SPI is relative to the Destination, and supposedly protects the IP Header, I do not understand this assumption that AH or ESP could or should ever be inserted/removed by a router/firewall. That is, only "tunneling" should be used for secure communication to or between firewall/routers, with SPIs that reflect the firewall Destination, not the host Destination. Besides, what would you do if there were multiple firewall paths to the same host? Or when communicating securely to an "intranet" Destination, passing no firewalls at all? The Destination host could be assigning that same SPI to a different session that travels a different path! That way lies madness.... And I'm sure that we covered this on this list over 2 years ago. This means that the "architecture" document is inadequate.... WSimpson@UMich.edu Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32 BSimpson@MorningStar.com Key fingerprint = 2E 07 23 03 C5 62 70 D3 59 B1 4F 5E 1D C2 C1 A2
- AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway pau
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re[2]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway William Allen Simpson
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway David P. Kemp
- Re: Re[2]: AH (without ESP) on a secure gateway Ran Atkinson
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway Daniel Harkins
- Re: AH (without ESP) on a secure gateway Hilarie Orman
- Re[2]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: Re[2]: AH (without ESP) on a secure gateway Bill Sommerfeld
- Re[4]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: Re[4]: AH (without ESP) on a secure gateway Bill Sommerfeld
- Re[4]: AH (without ESP) on a secure gateway Karl Fox
- Re[5]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re[2]: AH (without ESP) on a secure gateway Stephen Kent
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re[5]: AH (without ESP) on a secure gateway Stephen Kent
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: Re[5]: AH (without ESP) on a secure gateway Bob Monsour
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re: Re[5]: AH (without ESP) on a secure gateway Stephen Kent
- Re: AH (without ESP) on a secure gateway Steven Bellovin
- Re[2]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway Brian McKenney
- Re: AH (without ESP) on a secure gateway Perry E. Metzger
- Re[2]: AH (without ESP) on a secure gateway Stephen Kent
- Re[2]: AH (without ESP) on a secure gateway Brian McKenney
- Re: AH (without ESP) on a secure gateway Ran Atkinson
- Re: Re[5]: AH (without ESP) on a secure gateway Ran Atkinson
- Re: AH (without ESP) on a secure gateway Bill Sommerfeld
- Re: Re[2]: AH (without ESP) on a secure gateway Uri Blumenthal
- Re: AH (without ESP) on a secure gateway Daniel Harkins
- Re: Re[2]: AH (without ESP) on a secure gateway Naganand Doraswamy
- Re: AH (without ESP) on a secure gateway Steven Bellovin
- Re: AH (without ESP) on a secure gateway Steven Bellovin
- Re: Re[2]: AH (without ESP) on a secure gateway Stephen Kent
- Re: Re[2]: AH (without ESP) on a secure gateway Dan Frommer