Re: [IPsec] Traffic visibility - consensus call

Thu, 07 Jan 2010 08:10:22 -0800 

At 10:17 PM +0000 1/6/10, Brian Swander wrote:
I trust that this is a question on the sample set of requirements for the scenario I sent to Paul. 

I use infrastructure and intermediaries terms interchangeably.

The scenario I had in mind is:

No heuristic support from any network infrastructure.


Only limited number of legacy clients that require encryption, hence 
they are capable of upgrading.

Vast majority of legacy are ok with ESP-NULL.


Potentially many uplevel clients that require encryption.   As on 
the previous thread, we want to enable as many capabilities in the 
cross product matrix as possible.  Hence it is extremely desirable 
for uplevel to do encryption or integrity without forcing extra 
infrastructure config.



 I.e. I'd assume that managing ip addresses on all uplevel machines 
that want to do encryption is prohibitive.


Color me confused.

It appears that the high level policy is:


	- pairs of "uplevel" (WESP-capable) machines are allowed to 
send data via encrypted SAs, and thus bypass the packet inspection 
that the intermediate systems would otherwise perform



	-  if either machine in a communicating pair is not "uplevel" 
then any SAs between them must be subject to inspection by the 
intermediate systems, and hence they are restricted to using ESP-NULL 
(or no IPsec at all).



What confuses me is how the intermediate systems will know which 
policy applies to any given traffic flow? If the intermediate systems 
have a list of IP addresses of the hosts that fall into the category 
of "allowed to encrypt traffic" that would work, but that approach 
relies on doing what you said would be prohibitive to manage. Even if 
one needs only to configure one of the addresses or authorized pairs, 
that is the same as what would be needed in my proposal, and thus is 
also viewed as too hard to manage. But what other means of informing 
the intermediate systems how to decide to treat these two different 
classes of traffic do you envision?



I hope that you're not suggesting that the answer is to rely on each 
node to behave properly and to use only the type of SA for which it 
is authorized. If we had sufficient confidence in these nodes to do 
that, we probably wouldn't need intermediate systems to perform 
packet inspection, right?


Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec




























					Reply via email to