RE: IPsec problems/ideas.

[Jordan Hrycaj <jordan () mjh teddy-net com>]

On Wed, 2002-10-16 at 20:20, Naman Latif wrote:
> I am not sure, if Solaris supports it. If I remember correctly, using
> IPSec in "Transport" mode instead of "Tunnel", would only Encrypt the
> Payload and not the Packet Header. However you will then have to make

With esp transport mode, the original header of the IP packet is not
placed in the encrypted payload.

But you will not see the complementing part to the ip header that makes
up TCP, or UDP. It is encrypted and part of the payload. So the question
whether to use transport or tunnel mode is irrelevant, here.

> sure that the addresses in the Header Field are Public and Routable
> through Internet.
>
> Regards \\ Naman
>
>
> > -----Original Message-----
> > From: Zep [mailto:zep () nemesis mmind net] 
> > Sent: Tuesday, October 15, 2002 10:06 AM
> > To: security-basics () securityfocus com
> > Subject: IPsec problems/ideas.

[snip]

> >     I've been poking at ipsec for this, because (from what 
> > I've read), I can seamlessly poke it into the conversation 
> > and all is encrypted.  and I can configure it to just encrypt 
> > the traffic that I'm worried about.
> >
> >     The problem that I'm running into is that since IPsec 
> > encrypts the TCP header, so the firewall can't see that it's 
> > traffic bound for 
> > port X and thus should be allowed.

Hiding tcp information is exactly what IPSec (esp, I assume you need
confidential/encrypted traffic and not message integrity only) is made
for.

To overcome this problem, set up an IPSec gateway just before the
firewall so that only unecrypted traffic passes through (assuming you
view the internal network behind as confidential/trusted).

> >     So what I'm looking for is suggestions/ideas/whatever 
> > of ways around this... I'd like something that acts like 
> > ipsec but just encrypts the data part of the packet, but 
> > leaves the rest of the header alone.

[snip]

regards
jordan