[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bellovin's attack and others like it

To: perry@imsi.com
Subject: Re: Bellovin's attack and others like it
From: pau@watson.ibm.com (Pau-Chen Cheng)
Date: Tue, 11 Apr 95 17:19:22 -0500
Cc: "Avi Rubin" <rubin@faline.bellcore.com>, ipsec@ans.net, pau@watson.ibm.com
In-Reply-To: (Your message of Tue, 11 Apr 95 16:47:56 D.) <199504112048.AA25192@interlock.ans.net>


Perry, we have similar experience. I think if decison-making is done at IP
layer, then most likely there will be some layer mixing (i.e., IP looks at
the transport layer.). Our code uses UDP and it does not cause any difficulty.
I think this little layer mixing is a common practice on firewall/packet-filter
already.

Using a new transport procotol may be conceptually cleaner and make IPSP policy
simpler (no need for exemptions), though.

If we put key mgmt engine is the user space, then my feeling is that there
is no big difference in coding effort/complexity between the two approaches.

Regards, Pau-Chen

>
> "Avi Rubin" says:
> > It look like there are two approaches out there, using a UDP
> > port for key management, or having separate layers for key mgmt
> > vs. data packets.
> >
> > I'd like to see a constructive discussion of the tradeoffs using
> > each technique from Pau-Chen, Hilarie and others.
>
> I'd say that there isn't much of a good reason not to use a UDP
> port. I've heard arguments to the effect that this somehow causes
> layer mixing but my design doesn't seem to suffer when things are done
> this way.
>
> Perry

References:

Re: Bellovin's attack and others like it

From: "Perry E. Metzger" <perry@imsi.com>

Prev by Date: Re: Bellovin's attack and others like it
Next by Date: Re: Bellovin's attack
Prev by thread: Re: Bellovin's attack and others like it
Next by thread: Re: Bellovin's attack and others like it
Index(es):
- Main
- Thread