Re: IPsec Minutes from Montreal

["PALAMBER.US.ORACLE.COM" <PALAMBER@us.oracle.com>]

 
>(I think everyone will agree that we have endless  
>debates about what layering is allowed!) 
 
It seems like any layering should be allowed.  A harder question is 
determining if there should be a mandate for minimum support of layering 
required in a conformant IPsec implementation. For now it seems premature to 
mandate support for specific layering configuration, but it would be useful to 
document some common useful configurations. 
 
Paul 
 
 
-------------------------------------------------------------- 
Paul Lambert                     Director of Security Products 
Oracle Corporation                       Phone: (415) 506-0370 
500 Oracle Parkway, Box 659410             Fax: (415) 413-2963 
Redwood Shores, CA  94065               palamber@us.oracle.com 
!!!      Hiring, send resumes to: palamber@us.oracle.com   !!! 
-------------------------------------------------------------- 
  

--- Begin Message ---

In a galaxy far, far away, : 05 Aug 1996 16:34:53 PDT
> 	A firewall vendor gave a talk on using IPSEC with firewalls, as a 
> followup to mobile IP problem of getting mobile IP traffic out of a foreign 
> domain.  Asssume a model where presence of valid AH is required for firewall 
> traversal, in either direction.  The initially presented model looks at 
> traversing a single firewall, nominally at the home agent permieter.  The 
> second model presented shows foreign and home firewalls.  The talk points out
>- 
> the need for multiple, layered SAs, from MN-to-firewall-1, then maybe between
>- 
> firewalls, then from HA to firewall-2, and eventually one SA above these to 
> carry forwarded traffic from HA to MN.  Speaker notes the problems of being 
> able to transmit the mobile IP messages, ICMP messages, and key management 
> messages through firewalls as a precursor to establishing SAs in this complex
>- 
> environment.  The bottom line is that one has to look carefully at the rules 
> that firewalls employ to determine what traffic will be allowed across, as 

  Up to this point, I agree with the minutes.


> this might cause serious problems for SA establishment, especially for mobile
>- 
> IP case.  However, the proposed solution is pretty complex and there are 

  My perspective is that mobile IP is simply the tip of the iceberg. A good 
part of the IPsec architecture makes space for security gateways and the like.
(I think everyone will agree that we have endless debates about what layering 
is allowed!)

> easier approaches to dealing with this problem in the mobile IP case, e.g., 
> co-locating FAs and HAs with firewalls, or establishing long term SAs, betwee
>-n 
> HAs and FAs and their local firewalls, to facilitate forwarding of mobile IP 
> traffic. 

  This doesn't solve the general problem. Does this general problem really
exist? Yes: I should point out that Bob Moskowitz's problem is very highly 
related. (This might not be clear to some, but remember that I build 
application layer firewalls. I fear to be too partisan if I were to describe
how I'd use IPsec+application layer firewalls to solve his problems. Besides,
I haven't seen his requirements document yet... Bob?)



-- 
      mcr@milkyway.com       |     <A HREF="http://www.milkyway.com/">Milkyway 
Networks Corporation</A>
   Michael C. Richardson     |   Makers of the Black Hole firewall 
 Senior Research Specialist  | info@milkyway.com for BlackHole questions
 Home: <A HREF="http://www.sandelman.ocunix.on.ca/People/Michael_Richardson/Bio
.html">mcr@sandelman.ocunix.on.ca</A>. 
  "In a razor of Love." "Voodoo People! Magic People! Voodoo People! Magic 
People!"

--- End Message ---