Home page logo

nanog logo nanog mailing list archives

Re: IPsec with ambiguous routing
From: "Michael K. Smith" <mksmith () noanet net>
Date: Wed, 12 Feb 2003 10:50:11 -0800

On Wednesday, February 12, 2003, at 10:40 AM, David Wilburn wrote:

I've been attempting to beef up my knowledge of IPsec recently, and got
to thinking hypothetically about a *possible* problem with implementing
IPsec on larger networks. My experience with IPsec is currently limited
at best, so hopefully I can communicate this properly:

Let's assume that I have a large-ish network with multiple connections
to the Internet and ambiguous routing (meaning that a packet might come
in one gateway and the response packet might leave through a different
gateway).  Let's also assume that I'd like to allow IPsec tunnels into
my network to allow single workstations and small networks to attach to

With such ambiguous routing, is my understanding correct that the
response traffic could potentially bypass the VPN concentrator
altogether and travel to the destination unencrypted?

Well, if it's routed then it's reachable, whether or not the packets are encrypted or unencrypted. But, that doesn't mean the unencrypted traffic needs to be permitted beyond your gateways. The security association includes the source address, so you can create policies that disallow traffic except from expected hosts.

As for ambiguous (asymmetric?) routing, the tunnel is, for all intents and purposes, unaware of the underlying transport architecture, so it shouldn't make any difference as long as you have decent performance on your network as a whole. We use IPSec tunnels across the internet all the time and they work great.

Are there any solutions for quickly, reliably, and securely sharing
IPsec Security Association databases between gateways, so that the other
gateways would know to encrypt the traffic before letting it out?

How about setting up your own Certificate Authority.

------------------------------------------------------------------------ --
Michael K.      Smith           NoaNet
206.219.7116 (work)             206.579.8360 (cell)
mksmith () noanet net           http://www.noanet.net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]