[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ipsec error codes

To: "Biggerstaff, Craig" <Craig.Biggerstaff@csoconline.com>, "'Paul Koning'" <pkoning@xedia.com>
Subject: RE: ipsec error codes
From: "Biggerstaff, Craig" <Craig.Biggerstaff@csoconline.com>
Date: Mon, 12 Apr 1999 13:17:58 -0500
Cc: ipsec@lists.tislabs.com, skelly@redcreek.com
Sender: owner-ipsec@lists.tislabs.com

Point taken.  What I was trying to get across is that the reply channel
should not become the next avenue for nmap-style attack scanning.  If
possible, the reply mechanism should be tied to the IKE "bootstrap" process
such that the information it returns is proportional to the degree of
authentication already received from the initiator.

-- Craig

> ----------
> From: 	Paul Koning[SMTP:pkoning@xedia.com]
> Sent: 	Monday, April 12, 1999 11:45 AM
> To: 	Craig.Biggerstaff@csoconline.com
> Cc: 	ipsec@lists.tislabs.com; skelly@redcreek.com
> Subject: 	RE: ipsec error codes
> 
> >>>>> "Biggerstaff," == Biggerstaff, Craig
> <Craig.Biggerstaff@csoconline.com> writes:
> 
>  Biggerstaff,> I would add a statement to the effect that: "Any event
>  Biggerstaff,> code or message sent to indicate failure to create an
>  Biggerstaff,> SA MUST NOT reveal information that would otherwise
>  Biggerstaff,> only be known to the initiator *after* the successful
>  Biggerstaff,> creation of an SA."
> 
> That sounds sensible, but applied strictly it means canceling the
> product, because ANY message sent reveals some information.
> Minimally, it reveals that the other end is doing IPSEC and might be
> willing to talk if presented with suitable stimuli.
> 
> 	paul
>

Prev by Date: Mismatching PFS
Next by Date: IPSEC monitor MIB
Prev by thread: RE: ipsec error codes
Next by thread: ECN: Tunnel/SA relationship
Index(es):
- Main
- Thread