[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: inbound policy verification

To: lmccarth@cs.umass.edu, ipsec@tis.com
Subject: Re: inbound policy verification
From: "Valery Smyslov" <svan@elvis.ru>
Date: Tue, 29 Sep 1998 10:32:53 +3
Comments: Authenticated sender is <svan@ss10>
In-reply-to: <36102B9E.FD39A982@cs.umass.edu>
Organization: Elvis+
Sender: owner-ipsec@ex.tis.com

On 28 Sep 98 at 20:36, Lewis McCarthy wrote:

Hi, 

> > For example, suppose I'm a host H1 and I expect to receive packets from a
> > network N2, but there's a particular host H2 in N2 for which I have
> > different security requirements. So I create two policies in my inbound SPD
> > - first one with source address selector H2, and the second one with source
> > address selector N2 (an address prefix or range). The first policy results
> > in a SAD entry with security association SA1, and the second results in a
> > SAD entry with security association SA2.
> 
> The policy entries you're creating in this hypothetical example don't mean 
> what I think you intend. The policy using N2 as a selector allows certain 
> kinds of security associations to be established with any host matching the
> N2 selector, *regardless* of what other policy assertions are in the SPD. 
> Meanwhile the policy that selects on H2 allows certain other kinds of 
> security associations to be set up with H2, *in addition to* any other 
> kinds of security associations that may be allowed by other policies in the
> SPD. 

So, if I have policy with some SPD entries that demand secure 
communication with some number of specific hosts/networks and with 
last entry, that allows insecure communication with the rest of the 
internet, does this mean, that such policy will allow *any* host, 
including those specific, to communicate with me insecurely?

> > Now suppose I receive a packet from H2 with the "wrong" security headers. I
> > process the packet and discover SA2 from the destination
> > address/SPI/protocol triple and do the required authentication/decryption.
> > Now I search the SPD. The packet's selectors match the first policy but the
> > wrong SA was used to receive the packet. I want to reject this packet.
> > 
> > However this provision says I should continue searching the inbound SPD. I
> > find the second policy; the packet's selectors match it also. SA2 is the
> > right SA for this policy, so I accept the packet.
> 
> Your policy entry for N2 needs to be narrowed to achieve the exclusion you
> want. Instead of a policy entry that specifies that the "wrong" parameters can 
> be used in communicating with *any* host in network N2, that entry needs to 
> specify that the "wrong" parameters can be used in communicating with hosts 
> X2, Y2, Z2, etc.  (Recently there's been some discussion on the list about 
> increasing the expressiveness of the ID syntax to make it simpler to specify
> policies covering nontrivial combinations of hosts, subnets, etc.)

In this case, what is the purpose of total ordering of SPD entries 
(which architecture draft requires), if we still need to look 
through all of them?

> Hope this helps,
> -Lewis
> <mailto:pseudonym@acm.org>

Regards,

Valery Smyslov.

Follow-Ups:

Re: inbound policy verification

From: Lewis McCarthy <lmccarth@cs.umass.edu>

References:

Re: inbound policy verification

From: Lewis McCarthy <lmccarth@cs.umass.edu>

Prev by Date: Re: who is right ? (take 2)
Next by Date: I-D ACTION:draft-ietf-ipsec-icmp-handle-v4-00.txt
Prev by thread: Re: inbound policy verification
Next by thread: Re: inbound policy verification
Index(es):
- Main
- Thread