[anonsec] 3401 and highjacking

[Nicolas Williams]

On Fri, Feb 10, 2006 at 08:03:54PM -0500, Michael Richardson wrote:
>   Now, relevance to BTNS: BTNS means that *ALL* hosts on the Internet are
> possibly able to make connections, not just your set of trusted road
> warriors. 

As the size of a trust domain approaches the size of the Internet the
difference between BTNS and non-BTNS approaches zero.   I'm assuming the
use of wildcard PAD entries and the non-use o iPAddress subject alt
names for "clients" -- a fair assumption for an organization that large!

>   Last time I asked what modes were going to be used, I was told transport
> mode, and that this was going to just "work" through NAT (or that NAT wasn't
> important). I think that exactly how the gateway deals with NAT (and
> therefore what shape it's SPD takes) is going to be relevant.

BTNS is intended (e.g., by yours truly) to be used in end-to-end
communications, not for client<->SG.  The point I'm trying to make
(before David Black does :) is that tunnel vs. transport mode isn't as
interesting as whether BTNS is used to protect tunnelled traffic or
end-to-end comms.  And this because iSCSI uses tunnel mode, though it
doesn't actually tunnel anything (in the SG sense).

>   We may have to specify one solution as being better than others, or at
> least explain how to write the right SPD entries for various NAT-T+transport
> combinations.

I think we want to leave tunnelling out of scope for BTNS.  That doesn't
simplify things so much though -- we still need connection latching and,
ultimately APIs to inspect what is latched and channel bindings.  But
note that IPsec generally needs this, and not because of BTNS -- BTNS is
merely bringing the issue to a head.

Nico
--