[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Inbound packet processing- mobile host problem

To: "ipsec@xxxxxxxxxxxxxxxxx" <ipsec@xxxxxxxxxxxxxxxxx>
Subject: RE: Inbound packet processing- mobile host problem
From: Venkatesh N <venkatn@xxxxxxxxxxxxxxxxxx>
Date: Sat, 1 Apr 2000 14:37:45 +0530
Cc: "'Joern Sierwald'" <joern.sierwald@xxxxxxxxxxxx>
Organization: Future software
Reply-to: "venkatn@xxxxxxxxxxxxxxxxxx" <venkatn@xxxxxxxxxxxxxxxxxx>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

Let us consider the following scenario


       PPP            internet                 Local intranet                           
 H1 --------[ISP]---------------- SG2 ----------------------------------H2
                                            
Here let us assume H1 is the mobile host which wants to contact one of the machines(H2)
inside the home organisation. Now the H1 dials up to any local ISP and gets an Public IP address, 
which H1  uses to contact the SG2. In this case it is equivalent to any new machine trying to 
get into the organizational network, so is there any means by which the  SG2 can associate the dynamically
allocated IP address with H1??

Venkatesh

In this case Let us
On Friday, March 31, 2000 10:48 PM, Joern Sierwald [SMTP:joern.sierwald@F-Secure.com] wrote:
> At 20:05 31.3.2000 +0530, you wrote:
> >Hi all
> >I have the following doubts regarding the IPSEC
> >
> >(1)	According to the RFC, for the inbound packets, the SA (tunnel mode) is
> retrieved based on the 
> >
> >            --The Destination IP address of the Outer IP header
> >            --SPI
> >            --IPsec protocol
> >
> >    (a)Does this mean that the security gateway can allot the same SPI
> value for the different IP addresses (supposing It has
> >    more than one IP addresses)?
> >
> Yes it can. I wouldn't implement it that way, though. It's easier that
> check whether the destination addr belongs to the GW at all and then
> do a (prot/SPI) lookup on incoming packets. 
> 
> >(2) In the case of a mobile host contacting the home security gateway
> after dialing to a local PPP
> >server  on the Internet and then crossing the Internet to the home
> organization's firewall , then is there any automated way
> >for the discovery/verification of the security gateway/mobile host??
> >
> I'm afraid that you have to rephrase that. A drawing (ASCII) would be nice
> as well.
> If you're asking how a FW and a SGW (two computers) can communicate
> (how does the FW know that packets were handled by the SGW),
> the usual way is to map the mobile users into a private network
> using NAT.
> 
> >
> >Venkatesh
> >
> 
> J-rn Sierwald

Prev by Date: Re: IPSec vs SSL
Next by Date: Re: Heartbeats draft
Previous by thread: Re: Inbound packet processing- mobile host problem
Next by thread: Re: Inbound packet processing- mobile host problem
Index(es):
- Date
- Thread