[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Field Variance Analysis

To: Craig Metz <cmetz@sundance.itd.nrl.navy.mil>
Subject: Re: Field Variance Analysis
From: perry@piermont.com
Date: Tue, 15 Aug 1995 18:39:38 -0400
Cc: ipsec@ans.net
In-Reply-To: Your message of "Tue, 15 Aug 1995 18:03:33 CDT." <9508152303.aa07453@cs.nrl.navy.mil>
Reply-To: perry@piermont.com
Sender: perry@frankenstein.piermont.com

Craig Metz writes:
> >I believe that Hilarie has hit on the way to cut the gordian knot. If
> >the originating system wants to protect options under IPv4, it
> >probably should encapsulate the whole packet and not just the
> >transport.
> 
> 	Consider the goal of protecting source routes.

I'm not sure there is a point to protecting source routes.

Consider the following:

1) The worst the attacker can do is force you to use a different route
   than the intended one. He can force you to reply on a reversed bad
   source route and can read your messages and keep the intended
   recipient from reading them. However, if he's an active attacker in
   the line he can do that anyway.
2) We can't authenticate to intermediate nodes so the only thing the
   machine on the end knows is what source route options the packet
   was sent with, *not* what path it took.

Authentication makes source routing safe not because it makes the
source routes themselves immune from attack but because it
authenticates the endpoints.

Perry

Prev by Date: Re: Comments on IPSO and AH/ESP
Next by Date: Re: Field Variance Analysis
Prev by thread: Re: Field Variance Analysis
Next by thread: Re: Field Variance Analysis
Index(es):
- Main
- Thread