[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPSec Complexity
Skip,
I think the problem is much worse than your example suggests. If a
site has SAs to multiple other sites or multiple dialup users, then
once the traffic pops out of an SA, the rest of the receiver system
does not know which SA the traffic came from (assuming modular
layering of the pieces of the receiver system). Thus any filtering
that is applied to the inner header can determine only if ANY
legitimate source is allowed to send traffic of a specific form, not
whether the sender in question was allowed to send the traffic in
question. Thus any source can spoof traffic that would be acceptable
if it came from any other source with which the receiver is willing
to communicate. In the worst case, the scope of this spoofing applies
to sources irrespective of whether such sources have SAs in place at
the time the traffic arrives. This is the sort of problem I was
referring to as a side effect of disassociating access control
filtering from IPsec.
Steve
Follow-Ups:
References: