18 messages in org.freebsd.freebsd-securityRe: Can't set up an IPsec tunnel.| From | Sent On | Attachments |
|---|---|---|
| dr3node | Jan 24, 2002 7:47 am | |
| Lawrence Sica | Jan 24, 2002 9:59 am | |
| dr3node | Jan 24, 2002 10:43 am | |
| Eric Anderson | Jan 24, 2002 10:54 am | |
| dr3node | Jan 24, 2002 10:56 am | |
| Eric Anderson | Jan 24, 2002 11:05 am | |
| Lawrence Sica | Jan 24, 2002 11:05 am | |
| Eric Anderson | Jan 24, 2002 11:06 am | |
| Lawrence Sica | Jan 24, 2002 11:22 am | |
| Kerin Millar | Jan 24, 2002 11:26 am | |
| Eric Anderson | Jan 24, 2002 11:29 am | |
| Thomas T. Veldhouse | Jan 24, 2002 11:43 am | |
| Nate Williams | Jan 24, 2002 12:01 pm | |
| Nate Williams | Jan 24, 2002 12:06 pm | |
| Eric Anderson | Jan 24, 2002 12:11 pm | |
| Nate Williams | Jan 24, 2002 12:14 pm | |
| Peter Chiu | Jan 24, 2002 1:26 pm | |
| Vadim E. Martysh | Jan 24, 2002 2:11 pm |
| Subject: | Re: Can't set up an IPsec tunnel. | |
|---|---|---|
| From: | Eric Anderson (ande...@centtech.com) | |
| Date: | Jan 24, 2002 12:11:31 pm | |
| List: | org.freebsd.freebsd-security | |
I'm not saying B can modify the data, I'm saying A can't trust C's data, since it appears to come from B, and C builds it as if it's coming from C, with no knowledge that B is NAT'ing..
Nate Williams wrote:
As far as I know, no, because that would be like a "man in the middle" attack (I think). Like this:
A <--- B ---> C
If A is talking to C via IPSEC, A tells C it's IP (the true IP) and C tells A it's IP (its true IP, behind the masquaraded host), but A sees C as B's IP address. How does it know that C knows that B exists?
It doesn't matter, since B can't read/modify the traffic A or C generated.
It can certainly mess with the headers all it wants, but that won't help it figure out what is going on.
(Again, this assumes that A & C have authenticated themselves correctly, per the IPSEC specification. :)
Nate
dr3node wrote:
On Thursday 24 January 2002 21:55, you wrote:
IPSEC won't work through masquarading boxes or NAT firewalls.
Eric
is there any way way to cheat?
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
--
------------------------------------------------------------------ Eric Anderson ande...@centtech.com Centaur Technology If at first you don't succeed, sky diving is probably not for you.
------------------------------------------------------------------
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
--
------------------------------------------------------------------ Eric Anderson ande...@centtech.com Centaur Technology If at first you don't succeed, sky diving is probably not for you.
------------------------------------------------------------------
To Unsubscribe: send mail to majo...@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message