From owner-freebsd-questions  Sat May  5 12:44:14 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39])
	by hub.freebsd.org (Postfix) with ESMTP id 20FB937B423
	for <questions@FreeBSD.ORG>; Sat,  5 May 2001 12:44:06 -0700 (PDT)
	(envelope-from roelof@eboa.com)
Received: from eboa.com (roelof [10.0.0.2])
	by nisser.com (8.9.3/8.9.2) with ESMTP id VAA39495;
	Sat, 5 May 2001 21:43:52 +0200 (CEST)
	(envelope-from roelof@eboa.com)
Message-ID: <3AF457F7.FBA33634@eboa.com>
Date: Sat, 05 May 2001 21:43:51 +0200
From: Roelof Osinga <roelof@eboa.com>
Organization: eBOA - Programming the Web
X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U)
X-Accept-Language: en,pdf
MIME-Version: 1.0
To: =?iso-8859-1?Q?=3D=3Fiso=2D8859=2D1=3FQ=3FFlemming=5FFr=F8kj=E6r=3F=3D?= <flemming@froekjaer.org>
Cc: questions@FreeBSD.ORG
Subject: Re: ipsec/ipfw combination insecure?
References: <3174.63.105.19.225.989018470.squirrel@sleipner.eiffel.dk>
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

"=?iso-8859-1?Q?Flemming_Frøkjær?=" wrote:
> 
> When using ipsec to set up a VPN, address translation is taking place
> before ipfw gets the packets. This means that ipfw sees the packets from
> the remote RFC1918 network as coming from the external network
> interface, and thus one is forced to bore a gaping hole for incoming
> traffic in that IP range for the VPN to work. As far as I know, hackers
> can easily spoof their IP, so it will look like their packets are coming
> from that very same IP range. Am I too paranoid here, or is there really
> a security problem with this? If there is, what can be done about it? If
> there isn't, why not?

Isn't that where IKE comes in? Spoofing an IP address is one thing,
but spoofing a certificate quite another.

Sure, everybody can knock on your door... but you can only get in
with the right key <g>.

Roelof

-- 
-----------------------------------------------------------------------
eBOA®                                        est. 1982
tel. +31-58-2123014                          web. http://eBOA.com/
fax. +31-58-2160293                          mail info@eBOA.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message