[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: an inbound SPD-check question

To: kent@bbn.com (Stephen Kent)
Subject: Re: an inbound SPD-check question
From: Dan McDonald <danmcd@Eng.Sun.Com>
Date: Mon, 3 Aug 1998 12:22:50 -0700 (PDT)
Cc: ipsec@tis.com
In-Reply-To: <v03110705b1eb8e714c3a@[128.89.0.110]> from "Stephen Kent" at Aug 3, 98 11:58:32 am
Sender: owner-ipsec@ex.tis.com

> >If security has been successfully applied, it seems a bit naff to bin the
> >packet because the inbound SPD check says the IPSEC protection was not
> >required.
> 
> I'd drop the packet and make an audit log entry.  We want misconfigurations
> to be detected and the SPD changed and if we don't provide feedback ...

I agree with Steve K. (to prevent ambigity), but he's missing a reason.
Pardon my excessive paranoia, but if your inbound policy says "cleartext",
there's a good chance your outbound policy will also say "cleartext".  Now if
someone sends you an encrypted packet which you can decrypt, but you send a
cleartext reply, suddenly an eavesdropping adversary has a piece of data
he/she didn't have before.

We drop and log such packets.  We made that decision based on not allowing an
adversary free plaintext.

Dan

References:

Re: an inbound SPD-check question

From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Comments on "Hybrid Auth. mode for IKE"
Next by Date: Re: Comments on "Hybrid Auth. mode for IKE"
Prev by thread: Re: an inbound SPD-check question
Next by thread: Re: an inbound SPD-check question
Index(es):
- Main
- Thread