[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec Complexity



Skip,

I think the problem is much worse than your example suggests.  If a 
site has SAs to multiple other sites or multiple dialup users, then 
once the traffic pops out of an SA, the rest of the receiver system 
does not know which SA the traffic came from (assuming modular 
layering of the pieces of the receiver system).  Thus any filtering 
that is applied to the inner header can determine only if ANY 
legitimate source is allowed to send traffic of a specific form, not 
whether the  sender in question was allowed to send the traffic in 
question.  Thus any source can spoof traffic that would be acceptable 
if it came from any other source with which the receiver is willing 
to communicate. In the worst case, the scope of this spoofing applies 
to sources irrespective of whether such sources have SAs in place at 
the time the traffic arrives.  This is the sort of problem I was 
referring to as a side effect of disassociating access control 
filtering from IPsec.

Steve


Follow-Ups: References: