[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensolaris-security-discuss
Subject:    Re: [security-discuss] Issue with IPSec being routed
From:       will young <will.young () sun ! com>
Date:       2007-09-27 19:40:33
Message-ID: 46FC0731.8030608 () sun ! com
[Download RAW message or body]

Elijah Reed wrote:
> Solaris workstation
> 192.168.1.2 all-zones
>           | 
>           |
> 192.168.1.1 all-zones
> Solaris Server with multiple NICs
> 192.168.2.1 all-zones
>           |
>           |
> 192.168.2.2
> NON-CIPSO System
> 
	The trouble you will encounter with this situation is that .1.2 will 
attach CIPSO based on the gateway very high in the stack (before IPsec 
is applied) consequently if integrity(AH) is being applied it will be 
invalid after leaving .2.1.
	Any situation where you do not apply AH to the outer header will work 
around the issue.  I think the most common/secure tunnel configuration 
also applies AH to the full packet which would normally cause the 
problem, but if I remember correctly it does not since CIPSO is applied 
much lower in the stack for a tunneled packet.
	There are a couple IPsec and IP projects that are getting underway 
which should address this problem (and add more functionality) such as 
the Labelled IPsec project Bill recently proposed to the security and 
network communities.
	-Will
> 
> Any help would be appreciated.
> Elijah
>  
>  
> This message posted from opensolaris.org
> _______________________________________________
> security-discuss mailing list
> security-discuss@opensolaris.org

_______________________________________________
security-discuss mailing list
security-discuss@opensolaris.org
[prev in list] [next in list] [prev in thread] [next in thread]