Re: AH (without ESP) on a secure gateway
Michael Richardson <mcr@sandelman.ottawa.on.ca> Wed, 27 November 1996 01:50 UTC
Received: from cnri by ietf.org id aa20990; 26 Nov 96 20:50 EST
Received: from portal.ex.tis.com by CNRI.Reston.VA.US id aa00255; 26 Nov 96 20:50 EST
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id UAA15500 for ipsec-outgoing; Tue, 26 Nov 1996 20:43:37 -0500 (EST)
Message-Id: <199611270145.UAA06847@amaterasu.sandelman.ottawa.on.ca>
To: ipsec@tis.com
Subject: Re: AH (without ESP) on a secure gateway
In-reply-to: Your message of "Tue, 26 Nov 1996 18:02:47 EST." <199611262302.SAA01876@thunk.orchard.medford.ma.us>
Date: Tue, 26 Nov 1996 20:44:51 -0500
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
>>>>> "Bill" == Bill Sommerfeld <sommerfeld@apollo.hp.com> writes: Bill> Let's consider the case where you're attempting to add Bill> AH/ESP protection to an existing network which *currently Bill> uses IP-address based access controls*. Naturally, you Bill> don't want to create security holes while doing this. Bill> Let's assume you have a network of cooperating but mutually Bill> suspicious organizations, like the auto industry net which Bill> Bob Moskowitz is building. Let's not forget that Bob's problem is more complicated that you actually describe :-) [Bob said he was going to write a requirements document up in June. Did anyone see this from him?] But it is a good problem. Bill> What stops C from tunnelling a packet to A with a source Bill> address on B's network? You need a policy check that the Bill> packet emerging from the tunnel is from a source address Bill> which is allowed to use that particular tunnel.. The way I like to do this is to consider all tunnels to be virtual interfaces. You can make add routes, etc.. Alas, I still haven't had a chance to investigate how close that aspect (the "route add -net x.y tunnel q.r") of the NRL code is to this assumption. IP spoof checks (which you say are already in place) can handle this case without a problem. Good IP spoof checks are essentially: 1. if1 = calculate route to take to reach ip->ip_src if we had to reply. 2. if interface we received ip on == if1, then okay, otherwise it is a spoof. These checks would have to be done anyway for the leased line case for your assumption (C can not impersonate A to B) to be true. :!mcr!: | Network security consulting and Michael Richardson | contract programming WWW: <A HREF="http://www.sandelman.ottawa.on.ca/People/Michael_Richardson/Bio.html">mcr@sandelman.ottawa.on.ca</A>. PGP key available.
- AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway pau
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re[2]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway William Allen Simpson
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway David P. Kemp
- Re: Re[2]: AH (without ESP) on a secure gateway Ran Atkinson
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: AH (without ESP) on a secure gateway Daniel Harkins
- Re: AH (without ESP) on a secure gateway Hilarie Orman
- Re[2]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: Re[2]: AH (without ESP) on a secure gateway Bill Sommerfeld
- Re[4]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: Re[4]: AH (without ESP) on a secure gateway Bill Sommerfeld
- Re[4]: AH (without ESP) on a secure gateway Karl Fox
- Re[5]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re[2]: AH (without ESP) on a secure gateway Stephen Kent
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re[5]: AH (without ESP) on a secure gateway Stephen Kent
- Re: AH (without ESP) on a secure gateway Michael Richardson
- Re: Re[5]: AH (without ESP) on a secure gateway Bob Monsour
- Re: AH (without ESP) on a secure gateway Stephen Kent
- Re: Re[5]: AH (without ESP) on a secure gateway Stephen Kent
- Re: AH (without ESP) on a secure gateway Steven Bellovin
- Re[2]: AH (without ESP) on a secure gateway Whelan, Bill
- Re: AH (without ESP) on a secure gateway Brian McKenney
- Re: AH (without ESP) on a secure gateway Perry E. Metzger
- Re[2]: AH (without ESP) on a secure gateway Stephen Kent
- Re[2]: AH (without ESP) on a secure gateway Brian McKenney
- Re: AH (without ESP) on a secure gateway Ran Atkinson
- Re: Re[5]: AH (without ESP) on a secure gateway Ran Atkinson
- Re: AH (without ESP) on a secure gateway Bill Sommerfeld
- Re: Re[2]: AH (without ESP) on a secure gateway Uri Blumenthal
- Re: AH (without ESP) on a secure gateway Daniel Harkins
- Re: Re[2]: AH (without ESP) on a secure gateway Naganand Doraswamy
- Re: AH (without ESP) on a secure gateway Steven Bellovin
- Re: AH (without ESP) on a secure gateway Steven Bellovin
- Re: Re[2]: AH (without ESP) on a secure gateway Stephen Kent
- Re: Re[2]: AH (without ESP) on a secure gateway Dan Frommer