Re: [Design] letting traffic flow through a SG by default

-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Sam" == Sam Sgro <sam@freeswan.org> writes:

    Sam> (Caveat: If I make an erroneous assumption about OE's method of     Sam> negotiation, please correct me.)

  Not about OE, but rather, about what packetdefault=pass does.

    Sam>    Imagine this scenario: I've got a gateway running FreeS/WAN,
    Sam>    configured 
    Sam> with a few VPN conns. If that gateway were configured to do OE only
    Sam> for 
    Sam> itself, a malicious hacker could negotiate an OE connection with it,
    Sam> and then 
    Sam> pass packets intended for the subnet behind down the tunnel.

1. it only affects outbound.
2. even were it not to be set, the attack you detail would still occur.

  The only defense against this scenario is to have a properly configured firewall so that packets with the wrong source IP do not get in.

  Now, since the attacker can be malicious, and put the wrong packet in the tunnel, the attacker can also spoof things with the right source.   This is a one way attack (no replies will be seen). Of course, there are lots of one-way attacks on Winblows.

  The solution to above is to make sure that packets emerging from KLIPS are marked in some way with the tunnel that they came from. This is currently done in 2.xx by setting the nfmark bits with the SAref value. (Mind you, there is no convincing test for this yet, so it might not work)

  To get completed, we need to have pluto express the SAref that it got from KLIPS to the updown and firewall scripts, so that they can configure things. This is partially dependant upon the advanced routing _updown script.

    Sam>    I believe the security concerns raised in employing
    Sam>    packetdefault=pass by 
    Sam> default nix this as a solution.

  No, there is really no affect.
  The problem is a problem.

    Sam>    For OE, we have chosen to direct *all* packets, regardless of
    Sam>    source or 
    Sam> destination, through ipsec0. One solution would involve re-thinking
    Sam> this 
    Sam> logic.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

  Sure. We can do that. I don't see any value.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] 
mcr(at)sandelman.ottawa.on.ca 
http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

iQCVAwUBPnADJoqHRg3pndX9AQG07AP/Vbdutk3kyjEL9QF4oGZT3W+rWeK/aW/C ILvblht2IeSapGNBpDl892GzTHoN6K5VumMMJQ5Uh8ye3yoax0gdzOBdS6t+dXAk lUa5CVKRamvtCMsxIZZZ+SpWjo4L8MCXFHv/fUz3+kN4J5DD2Fz6/f6ghmUPcXrY fOJI6fkspPs=
=m6gX
-----END PGP SIGNATURE-----