[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Some queries regarding IP security

To: "'shganguly@hss.hns.com'" <shganguly@hss.hns.com>, ipsec@lists.tislabs.com
Subject: RE: Some queries regarding IP security
From: "Strahm, Bill" <bill.strahm@intel.com>
Date: Fri, 12 Nov 1999 09:38:36 -0800
Sender: owner-ipsec@lists.tislabs.com

I will not speak to the differences between the authentication between AH
and ESP, however there are different security threats that are covered by
each of these headers...

As for why you check the SPD after correctly decrypting the packet try this
scenario

I want you to have access to several mounts on my machine (securely of
course) so I grant you access to the NFS/SMB ports of my machine...

However I do not want you to have access to some other protocol on my
machine, SMTP, HTTP, or something...

I can easily negotiate a SA between our machines for the first case that
will allow you to talk to my NFS port, however being the willey hacker that
you are, you start sending traffic to the SMTP port using the SPI negotiated
for the NFS port.  

I can not tell which port you are destined for until the packet is
decrypted, so I apply (unapply) the SAs and get a IP packet out of it.  I
MUST check to see if the ports that you are destined to apply under the SPI
that you sent the packet, or my machine is wide open to ANYONE that can
negotiate on ANY port.

Does a concrete threat help, or do you want a more abstract threat
analysis...

Bill
______________________________________________
Bill Strahm        Programming today is a race between
bill.strahm@       software engineers striving to build
intel.com          bigger and better idiot-proof programs,
(503) 264-4632     and the Universe trying to produce
                   bigger and better idiots.  So far, the
                   Universe is winning.--Rich Cook
I am not speaking for Intel.  And Intel rarely speaks for me


> -----Original Message-----
> From: shganguly@hss.hns.com [mailto:shganguly@hss.hns.com]
> Sent: Thursday, November 11, 1999 10:14 PM
> To: ipsec@lists.tislabs.com
> Subject: Some queries regarding IP security
> 
> 
> 
> 
> 
> Hi,
> 
> I have a couple of issues to be clarified regarding IPsec.
> 
> First regarding ESP protocol. ESP provides authentication as well
> as confidentiality. The authentication provided by ESP is not as
> effective as the one provided by AH. It does not authenticate the
> IP header, both in transport as well as tunnel (in tunnel mode the new
> IP header) mode. So my query is why is the feature of authentication
> provided for in ESP, when it is there in AH which is also 
> better than the
> one in ESP?
> 
> Secondly, this is regarding IPsec inbound packet processing. During
> inbound packet processing, the receiver first matches the 
> packet to its
> corresponding SAs, does IPsec processing, after this it 
> refers to the SPD
> to verify whether the ordering of the SAs, the SAs itself 
> that were applied,
> were correct. If the ordering does not match the packet is 
> rejected. My
> question is, what is the purpose for the last step. Once the
> packet has matched the SAs and has undergone IPsec processing
> successfully what is need to again check from the SPD whether the
> policy applied is correct. And since SPDs can be big this will lead to
> some extra processing overhead? ( ref RFC 2401, Page -33, 
> Section 5.2.1,
> Step 4)
> 
> -Shamik
> 
> 
>

Prev by Date: Re: Some queries regarding IP security
Next by Date: Re: Some queries regarding IP security
Prev by thread: Re: Some queries regarding IP security
Next by thread: RE: Some queries regarding IP security
Index(es):
- Main
- Thread