Home page logo

nanog logo nanog mailing list archives

IPsec with ambiguous routing
From: David Wilburn <dwilburn () mitre org>
Date: Wed, 12 Feb 2003 13:40:24 -0500

I've been attempting to beef up my knowledge of IPsec recently, and got
to thinking hypothetically about a *possible* problem with implementing
IPsec on larger networks.  My experience with IPsec is currently limited
at best, so hopefully I can communicate this properly:

Let's assume that I have a large-ish network with multiple connections
to the Internet and ambiguous routing (meaning that a packet might come
in one gateway and the response packet might leave through a different
gateway).  Let's also assume that I'd like to allow IPsec tunnels into
my network to allow single workstations and small networks to attach to

With such ambiguous routing, is my understanding correct that the
response traffic could potentially bypass the VPN concentrator
altogether and travel to the destination unencrypted?

Is there any best practices advice for dealing with IPsec on such a
network, or am I stuck with either "redesign your network architecture"
or "don't allow IPsec?"  From what I can figure, those last two options
are my best bet, unless I want to allow lots of VPN concentrators deeper
within the network where the routing is less ambiguous.

Are there any solutions for quickly, reliably, and securely sharing
IPsec Security Association databases between gateways, so that the other
gateways would know to encrypt the traffic before letting it out?

Any other relevant thoughts, experiences, insults, rude gestures, etc.?


-Dave Wilburn

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]