[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ESP revisions straw poll

To: Charles Lynn <clynn@bbn.com>
Subject: Re: ESP revisions straw poll
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Sat, 17 May 1997 07:39:00 +0000
Cc: "Angelos D. Keromytis" <angelos@dsl.cis.upenn.edu>, ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

At 12:42 AM 5/17/97 EDT, Charles Lynn wrote:
>Speaking of running code, does anyone have operational experience on
>how well Path MTU discovery works?  It has been standardized for a
>long time.

Judging from packet traces, it's barely used.  That is, there are very many
packets at around 512 or 576 bytes, and almost none above it.
>

>
>> I'll remind you that IP addresses are supposed to be used as part of a
>> security identifier; an address along with an SPI indicates the SA to
>> use. 
>
>Since you raised the issue, do you know the rational for that
>decision?  I can see how it might make construction of third party
>wire tapping devices a little easier.  However, as an implementor, I
>would not implement it that way.  I would make the SPI space within a
>box be unique, not have several spaces, one per address -- IPv4, IPv6
>link local, IPv6 global, (dare I say multicast?), per interface, ...
>Why go through all the extra work?  Bigger tables, bigger hash keys
>...  From the outside, things work.  If the box receives a packet not
>addressed to it, it gets dropped before any SPI lookup.  If it is
>addressed to the box, the purported SPI either works or it doesn't.
>If it works, whoever shared the key, so the packet would be accepted;
>if it didn't work, it would set off those audit or not alarms and be
>dropped.

That's an implementation decision.  What's important is that the sender
must be prepared to deal with multiple SPIs.

Also bear in mind the multicast case, where someone else -- the group
leader -- is assigning the SPI.
>
>> Additionally, i don't see how dynamic IP will be hampered by IPsec in
>> this respect, assuming a well thought out certificate scheme is in
>> place; specifically, certificates for mobile agents should not include
>> any IP addresses (this is a necessary but probably not sufficient
>> condition).
>
>>From what I've had a chance to read, that may be a big assumption.
>Thinking ahead a few years, what fraction of hosts and networks will
>be mobile (at the IP level) or be subject to renumbering, possibly due
>to switching providers?  Hopefully, someone is working out all the
>nasty little details.

With IPv6, 100% of hosts will be subject to renumbering.

Prev by Date: Re: ESP revisions straw poll
Next by Date: Re: ESP revisions straw poll
Prev by thread: Re: ESP revisions straw poll
Next by thread: Re: ESP revisions straw poll
Index(es):
- Main
- Thread