[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: users and connections a futile waste of time

In message <6019.wsimpson@greendragon.com>, "William Allen Simpson" writes:
>OK, assuming that both Bellovin and Kent are using the same terminology,
>this says that we really cannot use IP Security in the attack scenarios
>outlined by Bellovin.

What IPsec provides is packet-flow integrity. Given a TCP endpoint
pair (address1, port1, address2, port2), it is possible to map a
packet flow to a tcp connection and vice versa (meaning that only
packets of that connection will use the negotiated SAs, and that if
both peers do that, all packets using that SA will belong to this TCP
connection only). What this leaves us with is attacks before or after
the endpoints are established or teared down respectively.

Before: process binds to port, asks for an SA; before SA is
established, process is killed and another process binds to the same
port. Given a badly designed system, the second process could end up
using the first one's SA. This can be avoided by the operating system
"locking" ports for which a negotiation is taking place, destroying 
the resulting SA, then unlocking the port (by lock i mean make it
unavailable for binding to). A second attack is possible as a race
condition if a process can ask for an SA for a port that it has not
bound to yet; this would be both a strange way of doing things and
extremely bad practice on the application programmer's side.

After: process exits; another process binds to same port, then replays
traffic or otherwise uses existing SA. Obviously, this can be avoided
if the operating system destroys the SA as soon as the socket is
closed (or shutdown).

The same holds for UDP. The model breaks somewhat for ICMP, but why
someone would want to send confidential information using ICMP *and*
worry about hostile users reading them is beyond me.

Given these rather modest expectations from an operating system, i
don't see how even hostile users with no unusual priviledges (such as
being able to read the kernel memory) can read each other's traffic or
do other attacks. 

Or am i missing something here ?