RE: IPSEC over DDR

From: Chris Lewis \(chrlewis\) (chrlewis@cisco.com)
Date: Mon Jun 20 2005 - 09:58:23 GMT-3

• Next message: Sheikh Rahman: "dampening"
• Previous message: George Cassels: "RE: Indirect redistribution on 2 routers"
• Maybe in reply to: EdmondsSG@aol.com: "IPSEC over DDR"
• Next in thread: Richard Dumoulin: "RE: IPSEC over DDR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Consider the case where R1 and R2 are connected, R1 performs the
encryption using tunnel mode, R2 is the ISDN router. When R2 receives a
packet it will be encrypted, so all it sees is the encrypted packet. The
only thing copied from the original header to the outer header on R1 is
the precedence, the rest is hidden from R2. In this case, you clearly
can't use ACLs to identify the pre- encrypted traffic.

In the case where you are encrypting traffic directly on R2 things are
not so obvious; the order of operations is taken from:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a
0080133ddd.shtml

And is listed as follows:

* routing

* redirect to web cache

* NAT inside to outside (local to global translation)

* crypto (check map and mark for encryption)

* check output access list

* inspect (Context-based Access Control (CBAC))

* TCP intercept

* encryption

Things are therefore identified and market for later encryption, then
outbound ACLs are applied (which is where I believe the dialer-list ACL
will be processed), and the packet is finally encrypted.

So whether you put encrypted or unencrypted values in the dialer list
ACL seems to depend on what case one considers.

Cheers

Chris

________________________________

From: Richard Dumoulin [mailto:Richard.Dumoulin@vanco.fr]
Sent: Monday, June 20, 2005 2:28 AM
To: Chris Lewis (chrlewis); EdmondsSG@aol.com; ccielab@groupstudy.com
Subject: RE: IPSEC over DDR

So you think that in the order of operation, encryption comes before
deciding whether or not the traffic is interesting?

-- Richard

-----Original Message-----
From: Chris Lewis (chrlewis) [mailto:chrlewis@cisco.com]
Sent: Monday, June 20, 2005 3:21 AM
To: EdmondsSG@aol.com; ccielab@groupstudy.com
Subject: RE: IPSEC over DDR

Assuming you are using tunnel mode, an IPsec encrypted packet arriving
at an ISDN interface will only have the IPsec header viewable, the
original IP address and port information will be encrypted.

Chris

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
EdmondsSG@aol.com
Sent: Sunday, June 19, 2005 3:46 PM
To: ccielab@groupstudy.com
Subject: IPSEC over DDR

Group,

just a quick question,

when configuring IPSEC over say ISDN, what should be classed as
interesting traffic? - the actual IP's or the IPSEC tunnel?

?

Segster

• Next message: Sheikh Rahman: "dampening"
• Previous message: George Cassels: "RE: Indirect redistribution on 2 routers"
• Maybe in reply to: EdmondsSG@aol.com: "IPSEC over DDR"
• Next in thread: Richard Dumoulin: "RE: IPSEC over DDR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:42 GMT-3