Re: FW: ipsec error protocol

[Bill Sommerfeld <sommerfeld@East.Sun.COM>]

> >In addition, a (deliberately or not) misconfigured host along the path
> >which implements your scheme would trivially implement this part of
> >the attack -- just convince it that one of its host addresses is the
> >target's address and arrange for the packet stream to hit its
> >ip_input() or equivalent.
> >
> 
> One thing to note though is if there is a misconfiguration like that
> it does'nt help a lot since all the follow up communication
> (like probes, rekeys) to the intended address also will fail, and the
> problem can be tracked through general network diagnostic mechanisms

a host misconfigured like that caused serious chaos and confusion on
the wireless network last IETF, and I don't think it was ever
conclusively identified.

> >Existing implementations I'm familiar with don't do (b), and adding
> >this mapping is non-trivial because multiple equivalent SA's may exist
> >between a pair of communicating nodes.
> 
> Yes - this would be a problem.
> 
> How are the SAs distributed between the pair of communicating nodes?

IKE.

> Could'nt the same channel be used to keep information in sync.

We were discussing how to extend ike to allow for this when you
claimed it was a layering violation.

					- Bill

---

Follow-Ups:

• RE: FW: ipsec error protocol
• From: "sankar ramamoorthi" <sankar@nexsi.com>

References:

• RE: FW: ipsec error protocol
• From: "sankar ramamoorthi" <sankar@nexsi.com>

---

• Prev by Date: RE: FW: ipsec error protocol
• Next by Date: hash payload in IKE
• Prev by thread: RE: FW: ipsec error protocol
• Next by thread: RE: FW: ipsec error protocol
• Index(es):
  • Main
  • Thread