[prev in list] [next in list] [prev in thread] [next in thread]
List: opensolaris-security-discuss
Subject: Re: [security-discuss] Issue with IPSec being routed
From: will young <will.young () sun ! com>
Date: 2007-09-27 19:40:33
Message-ID: 46FC0731.8030608 () sun ! com
[Download RAW message or body]
Elijah Reed wrote:
> Solaris workstation
> 192.168.1.2 all-zones
> |
> |
> 192.168.1.1 all-zones
> Solaris Server with multiple NICs
> 192.168.2.1 all-zones
> |
> |
> 192.168.2.2
> NON-CIPSO System
>
The trouble you will encounter with this situation is that .1.2 will
attach CIPSO based on the gateway very high in the stack (before IPsec
is applied) consequently if integrity(AH) is being applied it will be
invalid after leaving .2.1.
Any situation where you do not apply AH to the outer header will work
around the issue. I think the most common/secure tunnel configuration
also applies AH to the full packet which would normally cause the
problem, but if I remember correctly it does not since CIPSO is applied
much lower in the stack for a tunneled packet.
There are a couple IPsec and IP projects that are getting underway
which should address this problem (and add more functionality) such as
the Labelled IPsec project Bill recently proposed to the security and
network communities.
-Will
>
> Any help would be appreciated.
> Elijah
>
>
> This message posted from opensolaris.org
> _______________________________________________
> security-discuss mailing list
> security-discuss@opensolaris.org
_______________________________________________
security-discuss mailing list
security-discuss@opensolaris.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic