[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Some queries regarding IP security

To: shganguly@hss.hns.com
Subject: Re: Some queries regarding IP security
From: Qiang Zhang <qzhang@ecutel.com>
Date: Fri, 12 Nov 1999 11:25:27 -0500
Cc: ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com



Hi, 

To me the ESP's AH trailor is an alternative so that it is not necessary to
have adjacent (AH + ESP) bundles regarding the IKE and your SA database's
effort to keep them. 

SP should be verified after inbound processing, I can think of an example:
if somebody else (not the peer sends a fake packet, say ESP transport-mode
encryption only and happenly this fits into what the inbound SA says, then
you decrypt it(decryption is silent, it might just a junk data in there) and
would accept it (if not consulting the policy). Thus it is a kind of DoS
attack. The SP will be the last protection, just like a packet filtering. 

Correct me...

Regards,

Qiang 

At 11:43 AM 11/12/99 +0530, shganguly@hss.hns.com wrote:
>
>
>
>Hi,
>
>I have a couple of issues to be clarified regarding IPsec.
>
>First regarding ESP protocol. ESP provides authentication as well
>as confidentiality. The authentication provided by ESP is not as
>effective as the one provided by AH. It does not authenticate the
>IP header, both in transport as well as tunnel (in tunnel mode the new
>IP header) mode. So my query is why is the feature of authentication
>provided for in ESP, when it is there in AH which is also better than the
>one in ESP?
>
>Secondly, this is regarding IPsec inbound packet processing. During
>inbound packet processing, the receiver first matches the packet to its
>corresponding SAs, does IPsec processing, after this it refers to the SPD
>to verify whether the ordering of the SAs, the SAs itself that were applied,
>were correct. If the ordering does not match the packet is rejected. My
>question is, what is the purpose for the last step. Once the
>packet has matched the SAs and has undergone IPsec processing
>successfully what is need to again check from the SPD whether the
>policy applied is correct. And since SPDs can be big this will lead to
>some extra processing overhead? ( ref RFC 2401, Page -33, Section 5.2.1,
>Step 4)
>
>-Shamik
>
>
>
>
>

-Qiang

1100 Warnings!
--Line 100000: 3 cokes shut down your immune system for 24 hours, so stay
away from sodas!

Prev by Date: Deflate Chip vendors
Next by Date: Re: Some queries regarding IP security
Prev by thread: Re: Some queries regarding IP security
Next by thread: RE: Some queries regarding IP security
Index(es):
- Main
- Thread