[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec and RTP crypto

To: sommerfeld@East.Sun.COM
Subject: Re: IPsec and RTP crypto
From: itojun@iijlab.net
Date: Fri, 06 Apr 2001 08:44:14 +0900
cc: ipsec@lists.tislabs.com
In-reply-to: sommerfeld's message of Thu, 05 Apr 2001 12:42:15 -0400. <200104051642.f35GgF913404@thunk.east.sun.com>
Sender: owner-ipsec@lists.tislabs.com


>> 	i don't think it a "poor fit" in mobile-ip6 case.
>Here's a more specific concern:
>The use of ipsec for protecting piggybacked binding updates interferes
>with safe use of ipsec opportunistic encryption.
>A service may set up a listening tcp port with a policy which says
>"allow cleartext, or AH-protected, but once encryption is used,
>require it on all subsequent packets".
>Now, it receives an AH-protected TCP SYN with a binding update
>attached (which seems to be a highly likely combination).
>Is the receiver to interpret the use of ipsec for that packet as:
>a) an indication that all other traffic on this connection will be
>protected with AH?
>b) a signal that just the segment with the binding update is protected
>and to expect cleartext on other packets?
>The conservative thing to do is to assume (a), and prevent the
>connection from being assassinated by forged unauthenticated RST's.

	i see.  in this case AH is not the culprit, mobile-ip6 binding update
	piggyback is!  i don't understand why people are attacking AH.

itojun

Follow-Ups:

Re: IPsec and RTP crypto

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

References:

Re: IPsec and RTP crypto

From: Bill Sommerfeld <sommerfeld@East.Sun.COM>

Prev by Date: Re: Death to AH (was Re: SA identification)
Next by Date: Re: IPsec and RTP crypto
Prev by thread: Re: IPsec and RTP crypto
Next by thread: Re: IPsec and RTP crypto
Index(es):
- Main
- Thread