RE: IPSEC over DDR

From: Richard Dumoulin (Richard.Dumoulin@vanco.fr)
Date: Mon Jun 20 2005 - 10:26:39 GMT-3

• Next message: ccie2be: "RE: dampening"
• Previous message: Sheikh Rahman: "dampening"
• Maybe in reply to: EdmondsSG@aol.com: "IPSEC over DDR"
• Next in thread: EdmondsSG@aol.com: "Re: IPSEC over DDR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I was only supposing the case in which one router both encrypts and dials.
And it is my experience that the traffic to encrypt and still in cleartext
will trigger the call.
The strange thing is that when typing show dial to see the reason of the
call, ISAKMP will "create" the interesting traffic. You will not see ISAKMP
traffic or the interesting traffic as a reason of the dial,
 
-- Richard
 
-----Original Message-----
From: Chris Lewis (chrlewis) [mailto:chrlewis@cisco.com]
Sent: Monday, June 20, 2005 2:58 PM
To: Richard Dumoulin; EdmondsSG@aol.com; ccielab@groupstudy.com
Subject: RE: IPSEC over DDR
 
Consider the case where R1 and R2 are connected, R1 performs the encryption
using tunnel mode, R2 is the ISDN router. When R2 receives a packet it will
be encrypted, so all it sees is the encrypted packet. The only thing copied
from the original header to the outer header on R1 is the precedence, the
rest is hidden from R2. In this case, you clearly can't use ACLs to identify
the pre- encrypted traffic.
 
In the case where you are encrypting traffic directly on R2 things are not
so obvious; the order of operations is taken from:
 
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080
133ddd.shtml
<http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a008
0133ddd.shtml>
And is listed as follows:
 
* routing
* redirect to web cache
* NAT inside to outside (local to global translation)
* crypto (check map and mark for encryption)
* check output access list
* inspect (Context-based Access Control (CBAC))
* TCP intercept
* encryption
Things are therefore identified and market for later encryption, then
outbound ACLs are applied (which is where I believe the dialer-list ACL will
be processed), and the packet is finally encrypted.
 
So whether you put encrypted or unencrypted values in the dialer list ACL
seems to depend on what case one considers.
 
Cheers
 
Chris
 
  _____

From: Richard Dumoulin [mailto:Richard.Dumoulin@vanco.fr]
Sent: Monday, June 20, 2005 2:28 AM
To: Chris Lewis (chrlewis); EdmondsSG@aol.com; ccielab@groupstudy.com
Subject: RE: IPSEC over DDR
So you think that in the order of operation, encryption comes before
deciding whether or not the traffic is interesting?
-- Richard
-----Original Message-----
From: Chris Lewis (chrlewis) [mailto:chrlewis@cisco.com
<mailto:chrlewis@cisco.com> ]
Sent: Monday, June 20, 2005 3:21 AM
To: EdmondsSG@aol.com; ccielab@groupstudy.com
Subject: RE: IPSEC over DDR
Assuming you are using tunnel mode, an IPsec encrypted packet arriving
at an ISDN interface will only have the IPsec header viewable, the
original IP address and port information will be encrypted.
Chris
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com
<mailto:nobody@groupstudy.com> ] On Behalf Of
EdmondsSG@aol.com
Sent: Sunday, June 19, 2005 3:46 PM
To: ccielab@groupstudy.com
Subject: IPSEC over DDR
Group,
  
just a quick question,
  
when configuring IPSEC over say ISDN, what should be classed as
interesting traffic? - the actual IP's or the IPSEC tunnel?
  
?
  
Segster

• Next message: ccie2be: "RE: dampening"
• Previous message: Sheikh Rahman: "dampening"
• Maybe in reply to: EdmondsSG@aol.com: "IPSEC over DDR"
• Next in thread: EdmondsSG@aol.com: "Re: IPSEC over DDR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:42 GMT-3