[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Network Management with IP Sec



> The way I read the IP Sec RFC, the original packet will be encapsulated, a
> checksum is calculated, and then all information in the original packet is
> encrypted (or something along those line -- that's not the important part).
> If this is the case, I loose visibility into the original packet and
> therefore cannot determine the port it was using...

Basically correct.  To a considerable extent, this is a feature, since it
conceals not only the data but also details of where it's going.  (There
is a whole branch of technical espionage -- traffic analysis -- devoted to
learning things by looking at message sources, destinations, sizes, flow
rates, etc., without ever knowing the *content*.  An amazing variety of
information can be inferred that way, given cleverness and patience.)

The problems that full-packet encryption causes for firewalls, smart
routers, network monitors, etc., which currently do their job partly by
spying on the traffic, have been noticed before.  There appears to be no
simple solution.

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)



References: