Hosting Provided By

Re: linux-ipsec: IPSec Masquerade

From: Henry Spencer <henry(at)spsystems.net>
Date: Thu Jan 14 1999 - 14:53:35 EST

> Am I correct in thinking that it is technically possible to masquerade
> the ESP protocol without a great deal of difficulty?

I don't think so, at least not in any very general way.

In tunnel mode, the ESP encryption hides everything, including the addresses, in the inner IP header. You can masquerade the outer IP header, and indeed that is sometimes useful, but it's also nearly trivial. The only real support that's lacking is a more general "-P" option on ipfwadm, so that we could write ipfwadm rules applying specifically to ESP packets (and AH too, please -- we can't masquerade it but being able to firewall it would help). THIS WOULD BE USEFUL! But it's probably not what you were thinking of.

In transport mode, while ESP does not protect the addresses in the IP header, it does authenticate and encrypt the transport-protocol header. That includes the port numbers. Worse, the major transport protocols -- TCP and UDP -- both have internal checksums covering not only the data, but also a "pseudo-header" which includes the IP addresses. And those checksums, of course, are in the transport-protocol header. You can't masquerade transport-mode TCP or UDP traffic -- that is, just about any higher-level protocol of interest -- when the transport-protocol header is hidden and unalterable.

This is, I'm afraid, basically a feature, not a bug. Informally stated, one of the basic objectives of IPSEC is to make sure that nobody messes with the packets en route, *in any way*. A masquerading gateway really needs to be a security gateway, too, so that *it* can do the encrypting and authenticating, after messing with addresses etc. as appropriate.

> And the important question if nobody has done this yet: for a given

No. SPIs (together with protocol and destination address) identify SAs, which are unidirectional. The SPI is assigned by the destination host of the SA. In general, there will be no relationship between the SPIs for the two SAs used to establish a bidirectional connection.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)

Received on Thu Jan 14 15:45:10 1999

This message: [ Message body ]
Next message: Richard Guy Briggs: "Re: linux-ipsec: IPSec Masquerade"
In reply to: John D. Hardin: "linux-ipsec: IPSec Masquerade"
In reply to Richard Guy Briggs: "Re: linux-ipsec: IPSec Masquerade"
Next in thread: Richard Guy Briggs: "Re: linux-ipsec: IPSec Masquerade"
Reply: Richard Guy Briggs: "Re: linux-ipsec: IPSec Masquerade"
Reply: Sandy Harris: "Re: linux-ipsec: IPSec Masquerade"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:29 EDT

Do you need help?