Great Circle Associates Firewalls
(March 1993)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Firewalls and NFS -
From: Marcus J Ranum <mjr @ TIS . COM>
Date: Tue, 23 Mar 93 09:26:08 EST
To: wohler @ sap-ag . de
Cc: firewalls @ GreatCircle . COM

>  i've heard the term "tunnelling router" mentioned a couple of times
>  on this list, but haven't seen a description.  could someone
>  describe this term briefly?

	A tunnelling router is a router that accepts traffic for a
network, then encapsulates it either in IP or some other protocol,
and sends it to another tunnelling router that de-encapsulates it
and injects it onto the network as if it got there normally. Part
of the encapsulation can consist of cryptography or whatever you
like. The advantages of tunnelling is that you can put a tunnel
on the *inside* of your firewall, and (depending on how your firewall
is set up) you can make remote networks you trust look like they
are local with a one-hop route. You can also do tunnelling between
trustworthy machines on remote networks, so that you can have
remote points-of-presence on networks you otherwise couldn't
get to, with possibly encrypted links. I put together a paper about
this stuff, back when I was thinking of productizing my tunnel
driver - email me if you want a copy.

>  the encrypting bit sounds like a good idea, but there might be law
>  problems if one site is in the us and the other is somewhere else,
>  esp DES.  what, besides DES is covered by us export laws?  is it
>  just the algorithm, or is one not allowed to export DES encoded
>  traffic as well?

	Just the algorithm, but you should make sure you can prove
that if you're a US-based company, that you didn't conspire to
circumvent the ITAR by whatever means you got the crypto on both
ends. It's all amazingly convoluted - there's no sense to it.

	The encrypting bit *is* a good idea. It is a fact that some
European intelligence agencies have passed intercepted industrial
secrets to their own national companies. If I were a multinational
that transported trade secrets over my network, I'd be concerned.
For this kind of purpose, however, there are loads of encrypting
CSU/DSUs or point-to-point encrypting routers that will do the
trick. Just take a vacation to Europe and take a Cylink high speed
encrypting CSU in your luggage. :)


Indexed By Date Previous: Re: Firewalls and NFS -
From: chris @ visionware . co . uk (Chris Davies)
Next: Re: FYI - New NIC database
From: Bob Reinhardt <breinhar @ srg . srg . af . mil>
Indexed By Thread Previous: Re: Firewalls and NFS -
From: chris @ visionware . co . uk (Chris Davies)
Next: Re: Firewalls and NFS -
From: smb @ research . att . com

Search Internet Search