[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on IPSO and AH/ESP

To: Sean O'Malley <sean@cs.arizona.edu>
Subject: Re: Comments on IPSO and AH/ESP
From: Craig Metz <cmetz@sundance.itd.nrl.navy.mil>
Date: Sat, 19 Aug 1995 15:26:33 -0500
Cc: ipsec@ans.net
In-Reply-To: Your message of "Tue, 15 Aug 1995 13:14:33 MST." <199508152014.AA37578@interlock.ans.net>

In message <199508152014.AA37578@interlock.ans.net>, Sean O'Malley writes:
>> One obvious problem with encapsulation is that if IPSO is in the inner
>> packet, it can't easily be examined by the routers to perform
>> filtering as routers do right now.  This means the same
>> interoperability issues with the status quo will also exist in this
>> case.

>Why not have the IPSO option appear in BOTH IP headers. The 
>encapsulated one to be signed and the real IP header to be 
>looked at by the router.  Now someone could change the IPSO 
>in the real header so that the router would do something 
>unnatural to it but unless you are expecting the router to 
>understand IPSEC and authenticate the header (which requires 
>that it know about IPSEC anyway and hence could compare the 
>copies of the IPSO fields to see if they match) this is not 
>an issue. At this point saving bits are the least of our 
>problems.

	This seems pretty sensible to me, but it only seems to work in the
case where both ends understand IPSO. If you have a single-level machine
talking to a multi-level machine where the routers are adding IPSO options
midstream, I don't think this solves the problem. If you built a packet at
the single-level machine of the form IPv4 AH ULP, the midstream router would
create IPv4 IPSO IPv4 IPSO AH ULP this way, and the inner packet would still
fail authentication.

	After doing some thinking, it seems to me that a possible solution to
the single-level to multi-level problem is to have the gateway that puts the
IPSO option on the packet calculate/re-calculate the AH. This changes your
security guarantee mode from end-to-end to intermediate and has unfortunate
keying implications, but it seems to me that you are already putting a fairly
heavy degree of trust in your router in this case in the first place, so the
risk added isn't all that great. This would create this kind of configuration:

	[Singe-Level]                       [Multi-Level]

        BSD Box-----------Gateway-----------MLS Box
               IPv4 AH1 ULP      IPv4 IPSO AH2 ULP

	(Note: AH1 = AH in key from BSD Box, AH2 = AH in key from Gateway)

	This might create key distribution problems, however. Proxy keying
time, everyone.

									-Craig

References:

Re: Comments on IPSO and AH/ESP

From: Sean O'Malley <sean@cs.arizona.edu>

Prev by Date: Re: SKIP (Security on the IP Layer) Sources [OOPS] (fwd)
Next by Date: Re: Field Variance Analysis
Prev by thread: Re: Comments on IPSO and AH/ESP
Next by thread: Re: Comments on IPSO and AH/ESP
Index(es):
- Main
- Thread