Re: SA selector checks alone are not enough

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Jul 03, 2003 at 06:32:08PM +1000, herbert wrote:
>
> > I am afraid I did not understand the idea.
> 
> Can you be a bit more specific about which bit doesn't make sense
> to you? Then I can try to clarify it.  Thanks.

Perhaps it would help if I gave these entities IP addresses.

Let the host in question be A with the address 192.168.0.178.
A connects to the local private network via the security gateway
192.168.0.1.  It does so by establishing a ESP tunnel to 192.168.0.1.
The selector of the tunnel is 192.168.0.178 <-> 10.10.0.0/16.

The network 10.10.10.0/24 is the trusted network T.  Any packets
with source addresses in T via the ESP tunnel are genuine.

The rest of 10.10.0.0/16 are not necessarily trusted.  However,
10.10.0.1 is the gateway to the national private network and is
trusted provided that we can verify its identity.  So we shall
establish an ESP/IPCOMP tunnel to 10.10.0.1, on top of the existing
ESP tunnel to 192.168.0.1.  The selector of this tunnel would be
192.168.0.178 <-> 10.0.0.0/8.

The policies are arranged so that the ESP tunnel to 192.168.0.1
has a higher priority so we can still reach 10.10.0.0/16 through it.

Now the problem is that any other host in 10.10.0.0/16, e.g.,
10.10.20.30 can hijack the IPCOMP tunnel to 10.10.0.1 and
send packets to A with source addresses in the trusted network
10.10.10.0/24.


My proposed solution is to strengthen the policy check by making
the loose match that we have now exact.  That is, a packet passes
the policy check only if its security path contains exactly the
SAs specified by the policy template.  Of course, we'll need to
deal with the IPCOMP/IPIP situation but that isn't too difficult
if we sacrifice a bit of elegance and allow the eligible IPIP
tunnel to match the IPCOMP SA.

Incidentally, this removes the need to have SA selectors as they
are now subsumed by the policy checks.  This makes it possible
to have SAs that apply to IP address ranges, e.g., 192.168.0.10-20
which currently can only be achieved with multiple SAs unless you
make the selector wider than it should be.

Cheers,
-- 
Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ )
Email:  Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux