[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TOS copying considered harmful
Stephen Kent wrote:
>
> Joe,
>
> >Stephen Kent wrote:
> > >
> > > Joe,
> > >
> > > I agree with Henry here. We have security issues that influence
> > > whether, when, and how we copy data between the red and black IP
> > > headers, in tunnel mode. 2003 is not attuned to the issues, nor
> > > should it be.
> > >
> > > In the rewrite of 2401, we will try to do a much better job of
> > > describing these mappings, and the rationale behind each. We didn't
> > > get all of them right last time and will try to do better this time
> > > around.
> >
> >Would it not be preferable to get those issues in to 2003bis, in one
> >place?
> >(they _are_ security considerations).
> >
> >(I'm not proposing to omit the changes, just to roll them, and their
> >protocol implications, into 2003bis)
>
> the security issues surrounding mapping of header fields are relevant
> only if one is encrypting the tunneled packet, so I don't understand
> why 2003bis would want to include this info. Could you clarify?
(warning - potential heresey to follow :-)
IPSEC may not be the only protocol for encrypting IP packets.
2003bis should refer to the general idea that, if the interior payload
is otherwise encrypted, then there are security considerations to
copying certain bits, rather than fixing their value.
Joe
Follow-Ups:
References: