Date: Thu, 24 Jan 2002 13:14:44 -0700 From: Nate Williams <nate@yogotech.com> To: anderson@centtech.com Cc: Nate Williams <nate@yogotech.com>, dr3node <dr3node@danceonfire.net>, freebsd-security@freebsd.org Subject: Re: Can't set up an IPsec tunnel. Message-ID: <15440.27444.625825.317011@caddis.yogotech.com> In-Reply-To: <3C506A89.AFC3EF38@centtech.com> References: <200201241847.AHX10883@vmms1.verisignmail.com> <3C50588C.7200324B@centtech.com> <200201241900.AHX11812@vmms1.verisignmail.com> <3C505AFD.52FF9ADE@centtech.com> <15440.26956.433891.236940@caddis.yogotech.com> <3C506A89.AFC3EF38@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm not saying B can modify the data, I'm saying A can't trust C's > data, since it appears to come from B, and C builds it as if it's > coming from C, with no knowledge that B is NAT'ing.. Unless you do the double encapsulation thing, which allows external/third parties to modify the headers (and only the headers), because the integrity checks are done on the actual data. This type of IPSEC tunneling may end up becoming a standard part of IPSEC in the future, since I've heard rumors that the IETF is going to accept it. Nate > > > As far as I know, no, because that would be like a "man in the middle" attack (I > > > think). Like this: > > > > > > A <--- B ---> C > > > > > > If A is talking to C via IPSEC, A tells C it's IP (the true IP) and C tells A > > > it's IP (its true IP, behind the masquaraded host), but A sees C as B's IP > > > address. How does it know that C knows that B exists? > > > > It doesn't matter, since B can't read/modify the traffic A or C > > generated. > > > > It can certainly mess with the headers all it wants, but that won't help > > it figure out what is going on. > > > > (Again, this assumes that A & C have authenticated themselves correctly, > > per the IPSEC specification. :) > > > > Nate > > > > > dr3node wrote: > > > > > > > > On Thursday 24 January 2002 21:55, you wrote: > > > > > IPSEC won't work through masquarading boxes or NAT firewalls. > > > > > > > > > > Eric > > > > > > > > is there any way way to cheat? > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > -- > > > ------------------------------------------------------------------ > > > Eric Anderson anderson@centtech.com Centaur Technology > > > If at first you don't succeed, sky diving is probably not for you. > > > ------------------------------------------------------------------ > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > -- > ------------------------------------------------------------------ > Eric Anderson anderson@centtech.com Centaur Technology > If at first you don't succeed, sky diving is probably not for you. > ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15440.27444.625825.317011>