[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TOS copying considered harmful





Black_David@emc.com wrote:
> 
> h> IPsec is a security protocol, thus it is appropriate for it to
> > include explicit controls when security-relevant mapping takes place
> > relevant to a tunnel. By the way, it's not traffic analysis per se
> > that is the major concern. The concern is that a Trojan Horse
> > "behind" the IPsec implementation uses the TOS field to exfiltrate
> > data.
> 
> And if the network beyond the tunnel egress is using that field to
> determine which packets get what QoS-based services, there
> are also possible denial of service attacks based on modifying
> the field in the outer header of tunneled traffic.
> 
> For the record, I like Steve's proposal for modifications to RFC 2401's
> rules for tunnel header processing, and there's text in a number of
> diffserv RFCs that was written in anticipation/hope of such changes
> (e.g., see p.30 of RFC 2475).  I would expect that specification of
> these changes would be accompanied by guidance on their proper
> use and warning about security risks that may make them
> inappropriate to configure/use in some situations, right?

RFC2003 specifies that the TOS bit is copied from the inner header.

Could we either:

	- not create a new spec
or
	- synchronize these modifications with existing specs
	(get an update to 2003 in the works)


PS - ditto for the IPSEC rules for DF. 2003 says 'copy or SET',
but 'CLEAR' is not an option. It would be generally preferable
for the IPSEC specs to NOT summarize other (possibly changing)
specs, but refer to them, and highlight changes required only.

Joe


Follow-Ups: References: