[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FW: ipsec error protocol
> >In addition, a (deliberately or not) misconfigured host along the path
> >which implements your scheme would trivially implement this part of
> >the attack -- just convince it that one of its host addresses is the
> >target's address and arrange for the packet stream to hit its
> >ip_input() or equivalent.
> >
>
> One thing to note though is if there is a misconfiguration like that
> it does'nt help a lot since all the follow up communication
> (like probes, rekeys) to the intended address also will fail, and the
> problem can be tracked through general network diagnostic mechanisms
a host misconfigured like that caused serious chaos and confusion on
the wireless network last IETF, and I don't think it was ever
conclusively identified.
> >Existing implementations I'm familiar with don't do (b), and adding
> >this mapping is non-trivial because multiple equivalent SA's may exist
> >between a pair of communicating nodes.
>
> Yes - this would be a problem.
>
> How are the SAs distributed between the pair of communicating nodes?
IKE.
> Could'nt the same channel be used to keep information in sync.
We were discussing how to extend ike to allow for this when you
claimed it was a layering violation.
- Bill
Follow-Ups:
References: