Firewalls [was: H.320 gateways a MEGACO / ITU]

Wed Mar 31 20:14:23 EST 1999

Hi Matt,

I've read 2401 (IPsec), 2402 (AH), and 2406 (ESP) before. I've also
skimmed, but probably not understood, the ones on IKE and ISAKMP and OAKLEY
too. I've just re-skimmed 2401/2/6 and still don't have the answer.

Re-reading the postings, they're about H.323 proxies, call signalling, and
H.245 - some people are talking about H.323 rather than megaco/H.gcp, and
that's part of the problem: different threads by different people.

My points are several, and relate to firewalls (as noted by the subject
change).

In a mode 3 security association:
> 3. neither endpoint is the same -- The inner and outer
>    tunnels could each be either AH or ESP.
>
> Host 1 --- Security ---- Internet -- Security --- Host 2
>  |          Gwy 1                      Gwy 2         |
>  |            |                          |           |
>  |            --Security Assoc 1 (tunnel)-           |
>  |                                                   |
>  -----------Security Association 2 (tunnel)-----------

where Security Association 2 is ESP, how is SG1 or SG2 going to do packet
filtering and port opening?

Or, if SG1/SG2 is a single entity, as in Case 4:
>  ======================================================
>  |                                                    |
>  |==============================                      |
>  ||                            |                      |
>  ||                         ---|----------------------|---
>  ||                         |  |                      |  |
>  H1* ----- (Internet) ------| SG2* ---- (Local ----- H2* |
>        ^                    |           Intranet)        |
>        |                    ------------------------------
>  could be dialup              admin. boundary (optional)
>  to PPP/ARA server

or SG2, here, is "just" a firewall, instead of a Signalling Gateway.

Assuming that the SA between H1 and H2 involves payload encryption, such as
ESP, and is call signalling or H.245, how does SG2 cope with finding the
IP/port pairs, even in a text based protocol?

My interest extends beyond megaco/H.gcp, and includes Annex G. How do we
handle this in the more general case?

Douglas

At 16:05 1999-03-31 -0800, Matt Holdrege wrote:
>You can read RFC 2401 & 2402 to find out about IPsec and AH. And this
>discussion is about MEGACO/H.GCP which is not the same as H.323.