|
ru.unix.bsd- RU.UNIX.BSD ------------------------------------------------------------------ From : Alexander Starostin 2:5020/1297.153 05 Sep 2004 17:38:26 To : Eugene Grosbein Subject : ipsec -------------------------------------------------------------------------------- EG> Теперь хочу также зашифровать транзитный трафик, первая машина на другом EG> своем интерфейсе имеет сеть 1.1.1.65/26, вторая 1.1.1.1/26. EG> Добавляю в ipsec.conf по аналогии (на второй машине симметрично): EG> # описание второго потока EG> spdadd 1.1.1.0/26 1.1.1.64/26 any -P in ipsec EG> esp/transport/1.1.1.162-1.1.1.161/require; EG> spdadd 1.1.1.64/26 1.1.1.0/26 any -P out ipsec EG> esp/transport/1.1.1.161-1.1.1.162/require; EG> Теперь запускаю тот же ping между теми же машинами, EG> но теперь c адреса 1.1.1.65 на 1.1.1.1. Hа отвечающей машине вижу EG> tcpdump'ом входящий зашифрованный пакет и все. Ответа нету. EG> Hа отвечающей машине в начале списка правил стоит allow icmp from any to EG> me, оно не мачится. Вывод - пакеты не расшифровываются. В книге "IPSEC" (ISBN 0-13-046189-X), chapter 3, утверждается: "transport mode can only be used to protect packets where the communications endpoint is also the cryptographic endpoint." Иными словами, spdadd ... esp/transport/ должен употребляться с маской /32, и, наоборот, маска, отличная от /32, должна употребляться только с spdadd ... esp/tunnel/. Скромно подозреваю, всё это из-за вхождения dst ip в вектор, необходимый для идентификации правильного SA: === Security Parameter Index (SPI) The SPI is a very important element in the SA. An SPI is a 32-bit entity that is used to uniquely identify an SA at the receiver. It was mentioned before that the security context or SA is a contract between two hosts communicating securely and indicates the parameters, such as keys and algorithms. However, there has to be some mechanism for the source to identify which SA to use to secure the packet and for the destination to identify which SA to use to check the security of the received packet. The source identifies the SA by using the selectors. However, the destination does not have access to all the fields in the selectors as some of the fields in the selectors belong to the transport layer. To solve the problem of identifying the SA on the destination, the SPI that uniquely identifies the SA on the destination is sent with every packet. The destination uses this value to index into the receiving SADB and fetch the SA. The obvious questions are who guarantees the uniqueness of the mapping between the SPI and SA and what is the domain of uniqueness on the destination for each protocol-global, per source, or per address on the host. It is up to receiver/destination to guarantee this uniqueness. It is a requirement to maintain a separate SPI domain for each protocol. The destination can use any consistent mechanism to guarantee uniqueness inside each domain. The IPSec architecture specifies that the <spi, destination address> in the packet should uniquely identify an SA. The receiver allocates the SPI that is stored as part of the SA on the sender. The sender includes this in every packet under the assumption that the receiver can use this to uniquely identify the SA. If the receiver does not guarantee uniqueness, packets will fail security checks as invalid keys and transforms may be used. The sending host uses the selectors to uniquely index into the sending SADB. The output of this lookup is an SA that has all the negotiated security parameters, including the SPI. The host that allocates the SPI guarantees uniqueness. The SPI is reused once the SA expires but it is guaranteed that at any point the mapping between <spi, dst>, and SA is one to one. The src address is used in cases where the host is multihomed, that is, a host with more than one IP interface. This can be because there is more than one network card on the host or because of the fact that multiple IP interfaces are configured on the same network card (the host has multiple IP addresses). In this case, it is possible that the index <spi, dst> is not unique and src is used to resolve the ambiguity. The SPI is transmitted as part of AH and ESP headers. The receiving host uses the tuple <spi, dst, protocol> (where dst is the destination address in the IP header) to uniquely identify the SA. It is possible to use the source address in addition to <spi, dst, protocol> to uniquely identify an SA to conserve the SPI space. However, this is not part of the standards and is something specific to an implementation. === Have a nice day! --- * Origin: (2:5020/1297.153) Вернуться к списку тем, сортированных по: возрастание даты уменьшение даты тема автор
Архивное /ru.unix.bsd/5333413b592c.html, оценка из 5, голосов 10
|