[anonsec] 3401 and highjacking
Nicolas.Williams at sun.com
Sat Feb 11 01:31:25 PST 2006
On Fri, Feb 10, 2006 at 08:03:54PM -0500, Michael Richardson wrote:
> Now, relevance to BTNS: BTNS means that *ALL* hosts on the Internet are
> possibly able to make connections, not just your set of trusted road
As the size of a trust domain approaches the size of the Internet the
difference between BTNS and non-BTNS approaches zero. I'm assuming the
use of wildcard PAD entries and the non-use o iPAddress subject alt
names for "clients" -- a fair assumption for an organization that large!
> Last time I asked what modes were going to be used, I was told transport
> mode, and that this was going to just "work" through NAT (or that NAT wasn't
> important). I think that exactly how the gateway deals with NAT (and
> therefore what shape it's SPD takes) is going to be relevant.
BTNS is intended (e.g., by yours truly) to be used in end-to-end
communications, not for client<->SG. The point I'm trying to make
(before David Black does :) is that tunnel vs. transport mode isn't as
interesting as whether BTNS is used to protect tunnelled traffic or
end-to-end comms. And this because iSCSI uses tunnel mode, though it
doesn't actually tunnel anything (in the SG sense).
> We may have to specify one solution as being better than others, or at
> least explain how to write the right SPD entries for various NAT-T+transport
I think we want to leave tunnelling out of scope for BTNS. That doesn't
simplify things so much though -- we still need connection latching and,
ultimately APIs to inspect what is latched and channel bindings. But
note that IPsec generally needs this, and not because of BTNS -- BTNS is
merely bringing the issue to a head.
More information about the ANONSEC