Re: AH (without ESP) on a secure gateway

Michael Richardson <mcr@sandelman.ottawa.on.ca> Wed, 27 November 1996 01:50 UTC

Received: from cnri by ietf.org id aa20990; 26 Nov 96 20:50 EST
Received: from portal.ex.tis.com by CNRI.Reston.VA.US id aa00255; 26 Nov 96 20:50 EST
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id UAA15500 for ipsec-outgoing; Tue, 26 Nov 1996 20:43:37 -0500 (EST)
Message-Id: <199611270145.UAA06847@amaterasu.sandelman.ottawa.on.ca>
To: ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
In-reply-to: Your message of "Tue, 26 Nov 1996 18:02:47 EST." <199611262302.SAA01876@thunk.orchard.medford.ma.us>
Date: Tue, 26 Nov 1996 20:44:51 -0500
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk

>>>>> "Bill" == Bill Sommerfeld <sommerfeld@apollo.hp.com> writes:
    Bill> Let's consider the case where you're attempting to add
    Bill> AH/ESP protection to an existing network which *currently
    Bill> uses IP-address based access controls*.  Naturally, you
    Bill> don't want to create security holes while doing this.

    Bill> Let's assume you have a network of cooperating but mutually
    Bill> suspicious organizations, like the auto industry net which
    Bill> Bob Moskowitz is building.

  Let's not forget that Bob's problem is more complicated that you
actually describe :-) [Bob said he was going to write a requirements
document up in June. Did anyone see this from him?]
  But it is a good problem.

    Bill> What stops C from tunnelling a packet to A with a source
    Bill> address on B's network?  You need a policy check that the
    Bill> packet emerging from the tunnel is from a source address
    Bill> which is allowed to use that particular tunnel..

  The way I like to do this is to consider all tunnels to be virtual
interfaces. You can make add routes, etc.. Alas, I still haven't had a
chance to investigate how close that aspect (the "route add -net x.y
tunnel q.r") of the NRL code is to this assumption.
  IP spoof checks (which you say are already in place) can handle this
case without a problem.

  Good IP spoof checks are essentially:
	1. if1 = calculate route to take to reach ip->ip_src if 
		we had to reply.
	2. if interface we received ip on == if1, then okay,
		otherwise it is a spoof.

  These checks would have to be done anyway for the leased line case
for your assumption (C can not impersonate A to B) to be true.

     :!mcr!:            |  Network security consulting and 
   Michael Richardson |      contract programming
 WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.