Re: ipsec in tunnel mode and dynamic routing
Derek Atkins <warlord@mit.edu> Mon, 19 November 2001 20:38 UTC
Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id fAJKcZ820977; Mon, 19 Nov 2001 12:38:35 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id OAA10274 Mon, 19 Nov 2001 14:50:08 -0500 (EST)
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: Lars Eggert <larse@ISI.EDU>, Ricky Charlet <rcharlet@redcreek.com>, Giaretta Gerardo <Gerardo.Giaretta@TILAB.COM>, ipsec@lists.tislabs.com, xbone@ISI.EDU
Subject: Re: ipsec in tunnel mode and dynamic routing
References: <20011119194941.403247C00@berkshire.research.att.com>
From: Derek Atkins <warlord@mit.edu>
Date: Mon, 19 Nov 2001 14:59:27 -0500
In-Reply-To: "Steven M. Bellovin"'s message of "Mon, 19 Nov 2001 14:49:41 -0500"
Message-ID: <sjm1yiujzvk.fsf@benjamin.ihtfp.org>
Lines: 24
X-Mailer: Gnus v5.7/Emacs 20.7
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk
"Steven M. Bellovin" <smb@research.att.com> writes: > It's not source address verification I'm concerned about, it's > connection hijacking and DOSing. If you're going to route on top of IPsec (i.e. use IPsec tunnels as links to be routed across) then you don't get any additional protection anyways, because you truly are not limiting the packets traversing your network. Aren't dynamic routing and access-control checks mutually exclusive in the "core"? How would a core router know whether there is a real path for a packet through a peer? This seems to boil down to secure routing paths, which would seem out of scope for IPsec, no? > --Steve Bellovin, http://www.research.att.com/~smb > Full text of "Firewalls" book now at http://www.wilyhacker.com -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH warlord@MIT.EDU PGP key available
- ipsec in tunnel mode and dynamic routing Giaretta Gerardo
- Re: ipsec in tunnel mode and dynamic routing Derek Atkins
- RE: ipsec in tunnel mode and dynamic routing Giaretta Gerardo
- Re: ipsec in tunnel mode and dynamic routing Derek Atkins
- RE: ipsec in tunnel mode and dynamic routing Giaretta Gerardo
- Re: ipsec in tunnel mode and dynamic routing Ricky Charlet
- Re: ipsec in tunnel mode and dynamic routing Lars Eggert
- Re: ipsec in tunnel mode and dynamic routing Steven M. Bellovin
- Re: ipsec in tunnel mode and dynamic routing Derek Atkins
- Re: ipsec in tunnel mode and dynamic routing Steven M. Bellovin
- Re: ipsec in tunnel mode and dynamic routing Derek Atkins
- RE: ipsec in tunnel mode and dynamic routing Wang, Cliff
- Re: ipsec in tunnel mode and dynamic routing Derek Atkins
- Re: ipsec in tunnel mode and dynamic routing Henry Spencer
- Re: ipsec in tunnel mode and dynamic routing Ricky Charlet
- Re: ipsec in tunnel mode and dynamic routing Joe Touch
- Re: ipsec in tunnel mode and dynamic routing Joe Touch
- Re: ipsec in tunnel mode and dynamic routing Joe Touch
- Re: ipsec in tunnel mode and dynamic routing Lars Eggert
- Re: ipsec in tunnel mode and dynamic routing Joe Touch
- Re: ipsec in tunnel mode and dynamic routing Henry Spencer
- Re: ipsec in tunnel mode and dynamic routing Lars Eggert
- Re: ipsec in tunnel mode and dynamic routing Michael Richardson
- Re: ipsec in tunnel mode and dynamic routing Michael Richardson
- Re: ipsec in tunnel mode and dynamic routing Joe Touch
- Re: ipsec in tunnel mode and dynamic routing Joe Touch
- Re: ipsec in tunnel mode and dynamic routing Stephen Kent
- Re: ipsec in tunnel mode and dynamic routing Stephen Kent
- Re: ipsec in tunnel mode and dynamic routing Joe Touch
- Re: ipsec in tunnel mode and dynamic routing Stephen Kent
- Re: ipsec in tunnel mode and dynamic routing Joe Touch
- Re: ipsec in tunnel mode and dynamic routing Derek Atkins