RE: Some queries regarding IP security

[Devrim Unal <devrimu@yunus.mam.gov.tr>]

	Shamik,

	It is not correct that you'll not get the message when the order
does not match the SPD. This is because you don't look at the SPD until
you get the clear tunnelled packet. You just process the received tunnel
packet according to the sa you found by the help of the tuple from the
packet, not the SPD. Someone may send you a packet with only ESP without
AH when it also requires AH. You'll simply decrypt the packet and let it
go without authentication if you do not check all the sa's referred from
the SPD.

	Regards
	D. Unal

	National Institute of Scientific and Technological Research of
Turkey

	

On Mon, 15 Nov 1999 shganguly@hss.hns.com wrote:

> 
> 
> 
> I was mainly concerned with checking the order of SA application from SPD.
> My point is if your order is not right you will not get back the original packet
> anyway. So what is the point of rechecking it from the SPD.
> 
> -Shamik
> Hughes Software Systems, India
> 
> 
> 
> 
> 
> Andrew Krywaniuk <akrywaniuk@TimeStep.com> on 11/14/99 03:02:14 AM
> 
> To:   "Strahm, Bill" <bill.strahm@intel.com>, Shamik Ganguly/HSS@HSS,
>       ipsec@lists.tislabs.com
> cc:
> 
> Subject:  RE: Some queries regarding IP security
> 
> 
> 
> 
> I think you guys are missing the point of Shamik was asking. Of course you
> have to check the SPD for every packet to verify the IPs, ports, etc., but
> he was asking specifically about verifying the order of SAs in a bundle.
> 
> I.e. if you negotiate to do IPCOMP ESP AH and the other guy sends you a
> packet with ESP AH IPCOMP (not that this order makes any sense), should you
> drop the packet?
> 
> I seem to remember that this was an issue about 6 months ago, but I'm not
> sure what conclusion, if any, was reached.
> 
> Andrew
> _______________________________________________
>  Beauty without truth is insubstantial.
>  Truth without beauty is unbearable.
> 
> 
> > -----Original Message-----
> > From: Strahm, Bill [mailto:bill.strahm@intel.com]
> > Sent: Friday, November 12, 1999 12:39 PM
> > To: 'shganguly@hss.hns.com'; ipsec@lists.tislabs.com
> > Subject: RE: Some queries regarding IP security
> >
> >
> > I will not speak to the differences between the
> > authentication between AH
> > and ESP, however there are different security threats that
> > are covered by
> > each of these headers...
> >
> > As for why you check the SPD after correctly decrypting the
> > packet try this
> > scenario
> >
> > I want you to have access to several mounts on my machine (securely of
> > course) so I grant you access to the NFS/SMB ports of my machine...
> >
> > However I do not want you to have access to some other protocol on my
> > machine, SMTP, HTTP, or something...
> >
> > I can easily negotiate a SA between our machines for the
> > first case that
> > will allow you to talk to my NFS port, however being the
> > willey hacker that
> > you are, you start sending traffic to the SMTP port using the
> > SPI negotiated
> > for the NFS port.
> >
> > I can not tell which port you are destined for until the packet is
> > decrypted, so I apply (unapply) the SAs and get a IP packet
> > out of it.  I
> > MUST check to see if the ports that you are destined to apply
> > under the SPI
> > that you sent the packet, or my machine is wide open to
> > ANYONE that can
> > negotiate on ANY port.
> >
> > Does a concrete threat help, or do you want a more abstract threat
> > analysis...
> >
> > Bill
> > ______________________________________________
> > Bill Strahm        Programming today is a race between
> > bill.strahm@       software engineers striving to build
> > intel.com          bigger and better idiot-proof programs,
> > (503) 264-4632     and the Universe trying to produce
> >                    bigger and better idiots.  So far, the
> >                    Universe is winning.--Rich Cook
> > I am not speaking for Intel.  And Intel rarely speaks for me
> >
> >
> > > -----Original Message-----
> > > From: shganguly@hss.hns.com [mailto:shganguly@hss.hns.com]
> > > Sent: Thursday, November 11, 1999 10:14 PM
> > > To: ipsec@lists.tislabs.com
> > > Subject: Some queries regarding IP security
> > >
> > >
> > >
> > >
> > >
> > > Hi,
> > >
> > > I have a couple of issues to be clarified regarding IPsec.
> > >
> > > First regarding ESP protocol. ESP provides authentication as well
> > > as confidentiality. The authentication provided by ESP is not as
> > > effective as the one provided by AH. It does not authenticate the
> > > IP header, both in transport as well as tunnel (in tunnel
> > mode the new
> > > IP header) mode. So my query is why is the feature of authentication
> > > provided for in ESP, when it is there in AH which is also
> > > better than the
> > > one in ESP?
> > >
> > > Secondly, this is regarding IPsec inbound packet processing. During
> > > inbound packet processing, the receiver first matches the
> > > packet to its
> > > corresponding SAs, does IPsec processing, after this it
> > > refers to the SPD
> > > to verify whether the ordering of the SAs, the SAs itself
> > > that were applied,
> > > were correct. If the ordering does not match the packet is
> > > rejected. My
> > > question is, what is the purpose for the last step. Once the
> > > packet has matched the SAs and has undergone IPsec processing
> > > successfully what is need to again check from the SPD whether the
> > > policy applied is correct. And since SPDs can be big this
> > will lead to
> > > some extra processing overhead? ( ref RFC 2401, Page -33,
> > > Section 5.2.1,
> > > Step 4)
> > >
> > > -Shamik
> > >
> > >
> > >
> >
> 
> 
> 
> 
>

---

References:

• RE: Some queries regarding IP security
• From: shganguly@hss.hns.com

---

• Prev by Date: Re: IKE negotiation/rekeying problem with RSIP
• Next by Date: RE: Some queries regarding IP security
• Prev by thread: RE: Some queries regarding IP security
• Next by thread: RE: Some queries regarding IP security
• Index(es):
  • Main
  • Thread