[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

What can applications running over ipsec assume?



-----BEGIN PGP SIGNED MESSAGE-----

content-type: text/plain; charset=us-ascii

I've been following the ipsec work for just about a year now, from
(among other things) the point of view of being a potential user of
these protocols.

As best I can tell, the current IPSEC architecture documents make no
mention of what services are visible from the point of view of
*applications* running on top of transport-layer protocols running
over ipsec.

Clearly, certain guarantees need to be made in order for IPSEC to
provide useful security services to applications.  A number of them
seem fairly obvious to me.. but if everyone doesn't agree on what
these guarantees are, either interoperability or security or both will
suffer.

As a specific example, all of the TCP implementations I'm familiar
with do not expose TCP packet boundaries to the application.

Therefore, a system which implements ipsec should (or must) ensure
that all packets sent in one direction on a TCP connection come from
the same sender and are protected equivalently.  All the encryption
and integrity protection in the world won't help you if a spoofer can
just forge an unauthenticated packet and hijack your TCP connection.

[I'll note in passing here that requiring that all packets on a given
TCP connection share the same SPI seems to be too strong a
requirement, as it appears from some comments in the current Photuris
draft (draft-ietf-ipsec-photuris-02) that SPI's are fairly ephemeral,
and a given TCP connection may long outlive the SPI it was opened
under.]

More generally, what information contained in a security association
must be made visible to applications?  And what must not?

					- Bill



-----BEGIN PGP SIGNATURE-----
Version: 2.6.1

iQCVAwUBMCeg2Fpj/0M1dMJ/AQELpgP8DnMhaovL/ivBmP+Nh7cuZOmJn+BItvMX
qcQefhITZrOFSbJAcM7D+KE8ri2cMBGndyJdNN9hx/osPVkpMjWcT//HDThMzT0H
FsX1D/Ei2Odk7JIWTOsZIJmzjhsi2j1eXyRbpDzh6Sq2SdjC6Koeon4zJEAFhpB2
pgscbnCEDJI=
=XCu/
-----END PGP SIGNATURE-----