[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Transport / Tunnel Mode

To: "'Henry Spencer'" <henry@spsystems.net>, "'Andrew Krywaniuk'" <andrew.krywaniuk@alcatel.com>
Subject: RE: Transport / Tunnel Mode
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: Wed, 29 Nov 2000 18:54:58 -0500
Cc: "'IpsecMailingList (E-mail)'" <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <Pine.BSI.3.91.1001129180700.1621H-100000@spsystems.net>
Reply-To: <andrew.krywaniuk@alcatel.com>
Sender: owner-ipsec@lists.tislabs.com

Of course the routing and fragmentation issues are important. I was merely
pointing out an additional security flaw with transport mode ESP.

If the transport mode SA is host-sgw or sgw-sgw such that the SA may cover a
range of IPs, AH must be used in order to protect the IPs. Otherwise, an
intermediate router can redirect the traffic to a different host behind the
gateway, which could aid a combined internal-external attack.

Andrew
--------------------------------------
Beauty with out truth is insubstantial.
Truth without beauty is unbearable.


> -----Original Message-----
> From: Henry Spencer [mailto:henry@spsystems.net]
> Sent: Wednesday, November 29, 2000 6:29 PM
> To: Andrew Krywaniuk
> Cc: 'IpsecMailingList (E-mail)'
> Subject: RE: Transport / Tunnel Mode
>
>
> On Wed, 29 Nov 2000, Andrew Krywaniuk wrote:
> > And isn't there also the issue that you couldn't use ESP
> authentication with
> > sgw-sgw or host-sgw transport mode? AH would again become
> mandatory in order
> > to protect the outer (and only) header.
>
> Not (absolutely) necessarily.  In IPv4 in particular, AH protects very
> little that's of interest except the source and destination
> addresses.
> Remember that authentication tells you not only that the
> packet has not
> been altered in transit, but also that it did actually come
> from the other
> end of that SA.  Depending on which packets are flowing
> through which SAs,
> the mere fact that a packet emerged from a particular SA (and
> passed its
> authentication) might be enough to verify source and
> destination addresses.
>
> As others have noted, and as RFC 2401 explicitly states in
> 4.1, the bottom
> line is that multiple fragments may not follow the same route to reach
> their destination.  So when decryption (etc.) is being done by an
> interposed security gateway rather than by the end host, the security
> gateway must be the ostensible destination of the packet, so it can be
> sure it gets all the fragments.
>
>
> Henry Spencer
>
> henry@spsystems.net
>
>
>

References:

RE: Transport / Tunnel Mode

From: Henry Spencer <henry@spsystems.net>

Prev by Date: RE: Transport / Tunnel Mode
Next by Date: I-D ACTION:draft-ietf-ipsec-notifymsg-04.txt
Prev by thread: RE: Transport / Tunnel Mode
Next by thread: Re: Transport / Tunnel Mode
Index(es):
- Main
- Thread