[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ports in the clear...

To: Greg Minshall <minshall@ipsilon.com>
Subject: Re: ports in the clear...
From: "Perry E. Metzger" <perry@piermont.com>
Date: Tue, 23 Apr 1996 10:07:45 -0400
Cc: Ran Atkinson <rja@cisco.com>, ipsec@TIS.COM
In-Reply-To: Your message of "Mon, 22 Apr 1996 15:43:04 PDT." <199604222243.PAA10174@mailhost.Ipsilon.COM>
Reply-To: perry@piermont.com
Sender: ipsec-approval@neptune.tis.com

Greg Minshall writes:
> Did i mention my desire to expose the source and destination TCP/UDP ports 
> (via some new fields in the IPSEC header) when doing encryption?

Unfortunately, that conflicts with the desire many others have to
reduce the amount of traffic analysis that can be done. It also has
the problem that there is no way for a traffic monitor to know what
kind of ESP transform is being used and thus which portion of the ESP
header to look in -- since the only thing constant across ESP
transforms is the 32 bit SPI header, it is very hard indeed to know
you are using a transformt that exposes anything.

At this point, given the extensive implementations out in the field,
changing everything for everyone might be hard.

The reason for AH was, of course, to have "exposed" datagrams that
were authenticated.

There may be some other ways to achieve the QoS goal you have,
though...

.pm

References:

ports in the clear...

From: Greg Minshall <minshall@ipsilon.com>

Prev by Date: RE: ports in the clear...
Next by Date: Re: Routing Header info of IPng against traffic analysis?
Prev by thread: Re: ports in the clear...
Next by thread: Re: ports in the clear...
Index(es):
- Main
- Thread