Date: Sat, 05 May 2001 21:43:51 +0200 From: Roelof Osinga <roelof@eboa.com> To: =?iso-8859-1?Q?=3D=3Fiso=2D8859=2D1=3FQ=3FFlemming=5FFr=F8kj=E6r=3F=3D?= <flemming@froekjaer.org> Cc: questions@FreeBSD.ORG Subject: Re: ipsec/ipfw combination insecure? Message-ID: <3AF457F7.FBA33634@eboa.com> References: <3174.63.105.19.225.989018470.squirrel@sleipner.eiffel.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
"=?iso-8859-1?Q?Flemming_Frøkjær?=" wrote: > > When using ipsec to set up a VPN, address translation is taking place > before ipfw gets the packets. This means that ipfw sees the packets from > the remote RFC1918 network as coming from the external network > interface, and thus one is forced to bore a gaping hole for incoming > traffic in that IP range for the VPN to work. As far as I know, hackers > can easily spoof their IP, so it will look like their packets are coming > from that very same IP range. Am I too paranoid here, or is there really > a security problem with this? If there is, what can be done about it? If > there isn't, why not? Isn't that where IKE comes in? Spoofing an IP address is one thing, but spoofing a certificate quite another. Sure, everybody can knock on your door... but you can only get in with the right key <g>. Roelof -- ----------------------------------------------------------------------- eBOA® est. 1982 tel. +31-58-2123014 web. http://eBOA.com/ fax. +31-58-2160293 mail info@eBOA.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AF457F7.FBA33634>