[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

TOS copying considered harmful

To: IP Security List <ipsec@lists.tislabs.com>
Subject: TOS copying considered harmful
From: Henry Spencer <henry@spsystems.net>
Date: Wed, 13 Sep 2000 12:29:16 -0400 (EDT)
Sender: owner-ipsec@lists.tislabs.com

RFC 2401's discussion of how to prepare the outer headers in tunnel mode
(5.1.2.1) is quite explicit that the TOS field is copied from the inner
header to the outer header.  In the grand tradition of IPsec RFCs, there
is no rationale -- no explanation or discussion of tradeoffs. 

I suggest that this copying is a mistake -- that the TOS of the outer
header should be forced to a specific value, probably 0 -- unless,
perhaps, all traffic carried by the tunnel has the same TOS.  (How that
would be known is less clear, although conceivably one could copy TOS
for the first packet and just use that value for all subsequent packets.)
At the very least, the spec should allow implementations to do this if
they wish.

Why?  Two reasons.

First, copying TOS is a security leak:  it permits an eavesdropper to
categorize packets, which may aid traffic analysis or cryptanalysis.  One
major reason for routing different types of traffic through the same
tunnel is specifically to *interfere* with such analysis, but the gain
from doing so is compromised by this information leak. 

Second, as noted in recent work by the diffserv WG, packets with different
TOS values may be re-ordered en route, and "slow" packets on a busy path
can end up outside the AH/ESP anti-replay window.

                                                          Henry Spencer
                                                       henry@spsystems.net

Follow-Ups:

Re: TOS copying considered harmful

From: Stephen Kent <kent@bbn.com>

Prev by Date: XAUTH
Next by Date: 128Bit Encryption
Prev by thread: Re: XAUTH
Next by thread: Re: TOS copying considered harmful
Index(es):
- Main
- Thread