> ESP has the capability for using authentication on > its encapsulated payload. > It makes AH *mostly* redundant. You should specify > *either* ESP > authentication or AH.
OK, how can I check whether I'm using ESP with auth? > You're correct. And these theoretical attacks are > becoming practical. I had > early conversations with someone who's writing a > paper on such attacks. See > this blog entry: > > http://blogs.sun.com/danmcd/entry/esp_without_authenti > cation_considered_harmful > > for details. Oh my. That's just "lovely"! > If you're using tunnels, there's no difference and > you should use ESP-auth. I am using tunnels, at least I believe I am, currently IPsec is implemented as ip.tun0 interfaces on both the laptop and the FW (this was the PoC case I mentioned earlier). > ObCapNit: "IPsec". :) Burned into NVRAM. (:-) > ol. So really the only NAT you have to worry about > is the DSL > modem. This means FW A is the only node that can > practically initiate IKE > Phase I. Traffic flow originating from A or A's > network can keep this from > being a problem. > > Otherwise, just make sure LAN A and LAN B have > different prefixes and you can > set up a tunnel between FW A and FW B. The tsrc/tdst > from FW A's > point-of-view will be the 1st-NAT-private-IP and B's > external address. The > tsrc/tdst from FW B's point-of-view will be B's > external address and the DSL > Modem's external address. I did this years ago by selecting class A range and subdividing it into class B with 255.255.0.0, so yes, I am using different network segments. I had people laughing at me for doing this for five systems I had back then in my basement, but now that I'm on the other side of the world, it's working and I don't have a headache. > If the DSL modem is > *completely* out of your > control w.r.t. address renumbering, you will have to > figure out a way to > communicate the ADSL modem's external address to FW B > periodically. A > transport-mode-protected non-ping(1m)-ping of some > sort would do the trick. > > We implement tunnels-as-network-interfaces in > Solaris, so we have to keep the > tsrc/tdst fixed on an instance. If your ISP > psychotically changes external > addresses on you every so often, you'll have to make > FW B aware of it so it > can reset tsrc/tdst on it's tunnel. What do you mean? I have a permanent/fixed external IP address, with an IN PTR entry in DNS and everything. > NAT is such a steaming pile... and it's situations > like yours that illustrate > it. Your ISP could give you a dynamically-assigned > external IP... it's not > that hard. Oh well... I'm sure you complained to > them about that already. I explicitly and specifically demanded business ADSL so that I could have a fixed IP address with an IN PTR entry, and that is what I got. Are you saying I should've complained to them to have a dynamic IP address instead? This message posted from opensolaris.org
