IPsec with ambiguous routing
Michael K. Smith
mksmith at noanet.net
Wed Feb 12 18:50:11 UTC 2003
On Wednesday, February 12, 2003, at 10:40 AM, David Wilburn wrote:
>
> I've been attempting to beef up my knowledge of IPsec recently, and got
> to thinking hypothetically about a *possible* problem with implementing
> IPsec on larger networks. My experience with IPsec is currently
> limited
> at best, so hopefully I can communicate this properly:
>
> Let's assume that I have a large-ish network with multiple connections
> to the Internet and ambiguous routing (meaning that a packet might come
> in one gateway and the response packet might leave through a different
> gateway). Let's also assume that I'd like to allow IPsec tunnels into
> my network to allow single workstations and small networks to attach to
> mine.
>
> With such ambiguous routing, is my understanding correct that the
> response traffic could potentially bypass the VPN concentrator
> altogether and travel to the destination unencrypted?
Well, if it's routed then it's reachable, whether or not the packets
are encrypted or unencrypted. But, that doesn't mean the unencrypted
traffic needs to be permitted beyond your gateways. The security
association includes the source address, so you can create policies
that disallow traffic except from expected hosts.
As for ambiguous (asymmetric?) routing, the tunnel is, for all intents
and purposes, unaware of the underlying transport architecture, so it
shouldn't make any difference as long as you have decent performance on
your network as a whole. We use IPSec tunnels across the internet all
the time and they work great.
> Are there any solutions for quickly, reliably, and securely sharing
> IPsec Security Association databases between gateways, so that the
> other
> gateways would know to encrypt the traffic before letting it out?
>
How about setting up your own Certificate Authority.
Mike
------------------------------------------------------------------------
--
Michael K. Smith NoaNet
206.219.7116 (work) 206.579.8360 (cell)
mksmith at noanet.net http://www.noanet.net
More information about the NANOG
mailing list