Re: AH & IPv4 options

[Ran Atkinson <rja@bodhi.nrl.navy.mil>]

On Aug 28, 11:54, smb@research.att.com wrote:
} Subject: Re: AH & IPv4 options


% What of routers -- specifically Cisco -- that will add or delete IPSO
% options?  Bill claimed that that's broken, too -- but it
% certainly exists,

IPSO mangling is turned OFF in all Cisco routers UNLESS the network
admin specifically configures it on.  IETF specs can't protect
against users who shoot themselves in the foot by misconfiguring
their networks and are then surprised when things don't work as
expected.

Moreover, MOST sites that do anything with IPSO in the first place
ONLY apply IPSO filtering (e.g. Cisco's Access Lists) and do NOT
mangle the packet by inserting/modifying/deleting IPSO labels.

Having some familiarity with sites that currently use IPSO filtering
(commonplace in classified networks), I can say that most of those
sites desire to authenticate their IPSO options and are uncomfortable
with non-authenticatable  IPSO options as we have at present.

The ability to authenticate IPSO labels is really really important
because those labels are used for Mandatory Access Controls.

% and is probably necessary for single-level systems on, say,
% top secret nets.

I disagree with the assertion that IPSO mangling is ever really
necessary, based on experience consulting with folks who have
classified networks.  Moreover, the classified nets don't cross
connect with The Internet and their operators DO have complete
control over the network configuration so it is straight-forward
to reconfigure their routers to disable IPSO mangling if it
is currently enabled.

Ran
rja@cs.nrl.navy.mil

---

• Prev by Date: Re: AH & IPv4 options
• Next by Date: Re: AH & IPv4 options
• Prev by thread: Re: AH & IPv4 options
• Next by thread: Re: AH & IPv4 options
• Index(es):
  • Main
  • Thread