Firewalls [was: H.320 gateways a MEGACO / ITU]

Matt Holdrege matt at ASCEND.COM
Wed Mar 31 22:03:26 EST 1999


If you are using ESP, there are no worries. The endpoints unwrap the
original packet and process it as normal. The firewall doesn't know or care
about the original internal packet.

But if we are talking about MEGACO and I originally thought we were, you
don't need to use ESP if you don't want to. For security's sake, you may
wish to use AH in which case the firewall will simply authenticate the
packet and pass it through without any worries.

The only worries are if you are using NAT.


At 11:14 AM 4/1/99 +1000, Douglas Clowes wrote:
>Hi Matt,
>
>I've read 2401 (IPsec), 2402 (AH), and 2406 (ESP) before. I've also
>skimmed, but probably not understood, the ones on IKE and ISAKMP and OAKLEY
>too. I've just re-skimmed 2401/2/6 and still don't have the answer.
>
>Re-reading the postings, they're about H.323 proxies, call signalling, and
>H.245 - some people are talking about H.323 rather than megaco/H.gcp, and
>that's part of the problem: different threads by different people.
>
>My points are several, and relate to firewalls (as noted by the subject
>change).
>
>In a mode 3 security association:
>> 3. neither endpoint is the same -- The inner and outer
>>    tunnels could each be either AH or ESP.
>>
>> Host 1 --- Security ---- Internet -- Security --- Host 2
>>  |          Gwy 1                      Gwy 2         |
>>  |            |                          |           |
>>  |            --Security Assoc 1 (tunnel)-           |
>>  |                                                   |
>>  -----------Security Association 2 (tunnel)-----------
>
>where Security Association 2 is ESP, how is SG1 or SG2 going to do packet
>filtering and port opening?
>
>Or, if SG1/SG2 is a single entity, as in Case 4:
>>  ======================================================
>>  |                                                    |
>>  |==============================                      |
>>  ||                            |                      |
>>  ||                         ---|----------------------|---
>>  ||                         |  |                      |  |
>>  H1* ----- (Internet) ------| SG2* ---- (Local ----- H2* |
>>        ^                    |           Intranet)        |
>>        |                    ------------------------------
>>  could be dialup              admin. boundary (optional)
>>  to PPP/ARA server
>
>or SG2, here, is "just" a firewall, instead of a Signalling Gateway.
>
>Assuming that the SA between H1 and H2 involves payload encryption, such as
>ESP, and is call signalling or H.245, how does SG2 cope with finding the
>IP/port pairs, even in a text based protocol?
>
>My interest extends beyond megaco/H.gcp, and includes Annex G. How do we
>handle this in the more general case?
>
>Douglas
>
>At 16:05 1999-03-31 -0800, Matt Holdrege wrote:
>>You can read RFC 2401 & 2402 to find out about IPsec and AH. And this
>>discussion is about MEGACO/H.GCP which is not the same as H.323.
>
>
>



More information about the sg16-avd mailing list