On Wed, May 02, 2007 at 01:00:30AM -0700, UNIX admin wrote:
> > ESP has the capability for using authentication on
> > its encapsulated payload.
> > It makes AH *mostly* redundant. You should specify
> > *either* ESP
> > authentication or AH.
>
> OK, how can I check whether I'm using ESP with auth?
If you're already protecting traffic with ESP, utter (with privilege):
ipseckey dump esp | egrep "AKY:|Authentication"
If you see output, then you're using ESP authentication.
> > http://blogs.sun.com/danmcd/entry/esp_without_authenti
> > cation_considered_harmful
> >
> > for details.
>
> Oh my. That's just "lovely"!
Yep. When he presents the paper at the conference, he'll show you how
OpenSolaris is "vulnerable" because we follow the spec if we do proper,
by-the-spec padding checks.
> > If you're using tunnels, there's no difference and
> > you should use ESP-auth.
>
> I am using tunnels, at least I believe I am, currently IPsec is implemented
> as ip.tun0 interfaces on both the laptop and the FW (this was the PoC case
> I mentioned earlier).
Aha! If you're running a recent build of OpenSolaris, you can utter:
ipsecconf -ln -i ip.tun0
to see the policy for ip.tun0. Or you can do:
ifconfig ip.tun0
> > external address. The
> > tsrc/tdst from FW B's point-of-view will be B's
> > external address and the DSL
> > Modem's external address.
>
> I did this years ago by selecting class A range and subdividing it into
> class B with 255.255.0.0, so yes, I am using different network segments. I
> had people laughing at me for doing this for five systems I had back then
> in my basement, but now that I'm on the other side of the world, it's
> working and I don't have a headache.
Good job!
> > We implement tunnels-as-network-interfaces in
> > Solaris, so we have to keep the
> > tsrc/tdst fixed on an instance. If your ISP
> > psychotically changes external
> > addresses on you every so often, you'll have to make
> > FW B aware of it so it
> > can reset tsrc/tdst on it's tunnel.
>
> What do you mean?
>
> I have a permanent/fixed external IP address, with an IN PTR entry in DNS
> and everything.
In that case you're in FINE shape w.r.t. the tunnels. :)
> I explicitly and specifically demanded business ADSL so that I could have
> a fixed IP address with an IN PTR entry, and that is what I got.
Great! Everything I was worried about w.r.t. "psychotic ISPs" goes away with
such a setup.
> Are you saying I should've complained to them to have a dynamic IP address
> instead?
Nope. The one thing, though, is that it looks like your fixed IP address has
one of THEIR NATs in front of it. This could be problematic for IKE because
in theory the ISP NAT won't know to which box IKE packets should be directed.
...
I've lost a lot of context, and I apologize for the drift. I *believe* you
can protect your ends using IPsec. And just using ESP (with authentication)
will keep NATs from being TOO big of a problem. I'm a little concerned that
your DSL box has an ISP-provided NAT. In spite of your fixed address, that
ISP-provided NAT might be a problem for the IKE-direction problem I mentioned
above. You'll have to experiment and see, however.
Dan
