[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: an inbound SPD-check question
> >If security has been successfully applied, it seems a bit naff to bin the
> >packet because the inbound SPD check says the IPSEC protection was not
> >required.
>
> I'd drop the packet and make an audit log entry. We want misconfigurations
> to be detected and the SPD changed and if we don't provide feedback ...
I agree with Steve K. (to prevent ambigity), but he's missing a reason.
Pardon my excessive paranoia, but if your inbound policy says "cleartext",
there's a good chance your outbound policy will also say "cleartext". Now if
someone sends you an encrypted packet which you can decrypt, but you send a
cleartext reply, suddenly an eavesdropping adversary has a piece of data
he/she didn't have before.
We drop and log such packets. We made that decision based on not allowing an
adversary free plaintext.
Dan
References: