From: Brian A. Seklecki <lavalamp@sp...> - 2006-09-14 23:22:25
All, not a particular problem but a hypothetical configuration scenario
A few weeks ago I was experimenting with transport mode IPSec. Traditional
system-to-system configuration is very straight-forward.
However what about systems where one wants to secure IP trafficIP Aliases
/ VIPs? Specifically, as good examples:
*) Systems in HA active/standby configurations that share a service IP.
*) Systems that reside in public IP space that have both a "management"
address and a "service" address (e.g., DNS servers).
With DNS, lets say you all of your NOTIFY, XFER, query traffic, etc. to
originate from your service VIP. Easily specified.
However, some services cannot be bound/configured to source traffic from a
certain VIP; -- syslog(3), ESP/AH, even racoon(8) cannot be told to bind
to a specific IP for sendto().
The scenario is you want to encrypt traffic between a dozen remotely
deployed machines (where there is no management network to VPN into) and
the master management machine. Some traffic you can control travels
between the service VIPs. Other traffic travels between the remotely
deployed systems` base/management IPs and the service VIP of a central
Has anyone explored this configuration? I'm looking to glean some
experience/advice. Which approach is best?
* Two, three, or four individual Transport Mode SAs between remote
machines and the master (not quite full mesh).
* A single SA that encrypts traffic for all permutations of VIP to
*) racoon(8)/isakmpd(8) do not seem to properly support binding to a
specific system IP and/or port (see my previous e-mail)
*) Does the "src range" / "dst range" in setkey(8) have to be a subnet
specification? Does "remote" and "sainfo" in racoon.conf(5) have to be a
single IP or can it be a CIDR/VLSM subnet? For transport mode, it's /32
Presumably a /31 could be specified (not valid syntax in
any other place). /30 is too big and would blackhole two other
hosts near the remote system. There doesn't seem to be a way with
setkey(8) / ipsec.conf(5) to specify a range in non-CIDR/VLSM syntax
and I'm not sure if that's a limitation of the config file syntax
parsing or a requirement in the IPSEC RFC for transport mode to be
< /30 and tunnel mode to be = /32 IP designation
*) Presumably if there were multiple SAs between two hosts with different
/32 specifications, one would want to use a different remote identifier
for each? The base system IP for the ID of the base-to-base tunnel; and
vice-versa, but that leaves the remote-mgmnt to base-VIP in question
*) I had other ideas including some tricky use of 'setkey spadd' but I've
forgotten them >:}
*) At this point it may be easier for me to hack syslogd(8).
Anyway, hypothetical questions open for discussion.
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
"...from back in the heady days when "helpdesk" meant nothing, "diskquota"
meant everything, and lives could be bought and sold for a couple of pages
of laser printout - and frequently were."