[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Some queries regarding IP security

To: Andrew Krywaniuk <akrywaniuk@TimeStep.com>
Subject: RE: Some queries regarding IP security
From: shganguly@hss.hns.com
Date: Mon, 15 Nov 1999 09:16:21 +0530
cc: "Strahm, Bill" <bill.strahm@intel.com>, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com




I was mainly concerned with checking the order of SA application from SPD.
My point is if your order is not right you will not get back the original packet
anyway. So what is the point of rechecking it from the SPD.

-Shamik
Hughes Software Systems, India





Andrew Krywaniuk <akrywaniuk@TimeStep.com> on 11/14/99 03:02:14 AM

To:   "Strahm, Bill" <bill.strahm@intel.com>, Shamik Ganguly/HSS@HSS,
      ipsec@lists.tislabs.com
cc:

Subject:  RE: Some queries regarding IP security




I think you guys are missing the point of Shamik was asking. Of course you
have to check the SPD for every packet to verify the IPs, ports, etc., but
he was asking specifically about verifying the order of SAs in a bundle.

I.e. if you negotiate to do IPCOMP ESP AH and the other guy sends you a
packet with ESP AH IPCOMP (not that this order makes any sense), should you
drop the packet?

I seem to remember that this was an issue about 6 months ago, but I'm not
sure what conclusion, if any, was reached.

Andrew
_______________________________________________
 Beauty without truth is insubstantial.
 Truth without beauty is unbearable.


> -----Original Message-----
> From: Strahm, Bill [mailto:bill.strahm@intel.com]
> Sent: Friday, November 12, 1999 12:39 PM
> To: 'shganguly@hss.hns.com'; ipsec@lists.tislabs.com
> Subject: RE: Some queries regarding IP security
>
>
> I will not speak to the differences between the
> authentication between AH
> and ESP, however there are different security threats that
> are covered by
> each of these headers...
>
> As for why you check the SPD after correctly decrypting the
> packet try this
> scenario
>
> I want you to have access to several mounts on my machine (securely of
> course) so I grant you access to the NFS/SMB ports of my machine...
>
> However I do not want you to have access to some other protocol on my
> machine, SMTP, HTTP, or something...
>
> I can easily negotiate a SA between our machines for the
> first case that
> will allow you to talk to my NFS port, however being the
> willey hacker that
> you are, you start sending traffic to the SMTP port using the
> SPI negotiated
> for the NFS port.
>
> I can not tell which port you are destined for until the packet is
> decrypted, so I apply (unapply) the SAs and get a IP packet
> out of it.  I
> MUST check to see if the ports that you are destined to apply
> under the SPI
> that you sent the packet, or my machine is wide open to
> ANYONE that can
> negotiate on ANY port.
>
> Does a concrete threat help, or do you want a more abstract threat
> analysis...
>
> Bill
> ______________________________________________
> Bill Strahm        Programming today is a race between
> bill.strahm@       software engineers striving to build
> intel.com          bigger and better idiot-proof programs,
> (503) 264-4632     and the Universe trying to produce
>                    bigger and better idiots.  So far, the
>                    Universe is winning.--Rich Cook
> I am not speaking for Intel.  And Intel rarely speaks for me
>
>
> > -----Original Message-----
> > From: shganguly@hss.hns.com [mailto:shganguly@hss.hns.com]
> > Sent: Thursday, November 11, 1999 10:14 PM
> > To: ipsec@lists.tislabs.com
> > Subject: Some queries regarding IP security
> >
> >
> >
> >
> >
> > Hi,
> >
> > I have a couple of issues to be clarified regarding IPsec.
> >
> > First regarding ESP protocol. ESP provides authentication as well
> > as confidentiality. The authentication provided by ESP is not as
> > effective as the one provided by AH. It does not authenticate the
> > IP header, both in transport as well as tunnel (in tunnel
> mode the new
> > IP header) mode. So my query is why is the feature of authentication
> > provided for in ESP, when it is there in AH which is also
> > better than the
> > one in ESP?
> >
> > Secondly, this is regarding IPsec inbound packet processing. During
> > inbound packet processing, the receiver first matches the
> > packet to its
> > corresponding SAs, does IPsec processing, after this it
> > refers to the SPD
> > to verify whether the ordering of the SAs, the SAs itself
> > that were applied,
> > were correct. If the ordering does not match the packet is
> > rejected. My
> > question is, what is the purpose for the last step. Once the
> > packet has matched the SAs and has undergone IPsec processing
> > successfully what is need to again check from the SPD whether the
> > policy applied is correct. And since SPDs can be big this
> will lead to
> > some extra processing overhead? ( ref RFC 2401, Page -33,
> > Section 5.2.1,
> > Step 4)
> >
> > -Shamik
> >
> >
> >
>

Follow-Ups:

RE: Some queries regarding IP security

From: Devrim Unal <devrimu@yunus.mam.gov.tr>

Prev by Date: aggressive mode & draft-ietf-ipsec-isakmp-gss-auth-04.txt
Next by Date: RE: Some queries regarding IP security
Prev by thread: RE: Some queries regarding IP security
Next by thread: RE: Some queries regarding IP security
Index(es):
- Main
- Thread