[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Field Variance Analysis

To: Hilarie Orman <ho@cs.arizona.edu>
Subject: Re: Field Variance Analysis
From: Craig Metz <cmetz@sundance.itd.nrl.navy.mil>
Date: Tue, 15 Aug 1995 17:53:26 -0500
Cc: ipsec@ans.net
In-Reply-To: Your message of "Mon, 14 Aug 1995 19:58:10 MST." <9508150258.AA04859@uncial.CS.Arizona.EDU>

In message <9508150258.AA04859@uncial.CS.Arizona.EDU>, Hilarie Orman writes:
>>	The third is one that many people discount, claiming that IPSO is
>> just broken and shouldn't be a factor. I'm not here to judge IPSO, but
>> certain government organizations have a large IPSO deployed base and they
>> won't buy into IPsec at all if it leaves them SOL with IPSO. Both the second
>> and third on this list implies no alternative but to protect IPv4 options
>> if we are going to defend against these attacks. If we aren't going to
>> defend against these attacks, then we can talk in terms of not authenticatin
>> options.
>
>Might not the certain government organizations use encapsulation with
>a MD5 transform as a method of protecting the IPSO?

	If we choose not to protect IPv4 options, then it is possible for
those organizations to use IP-IP tunneling with AH on the outside packet
and the IPSO option on the inside (tunnelled) packet, except that this will
defeat the purpose of IPSO because routers will only look at the outside
packet. So, in order to provide intermediate IPSO processing (and IPSO is
meant to be used by intermediate glorified-routers to make policy decisions),
we have no reasonable choice but to find a way to authenticate IPv4 options.

								-Craig

Prev by Date: Re: Field Variance Analysis
Next by Date: Re: Field Variance Analysis
Prev by thread: Re: Field Variance Analysis
Next by thread: Re: Field Variance Analysis
Index(es):
- Main
- Thread