[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplifying IKE

To: ipsec@lists.tislabs.com
Subject: Re: Simplifying IKE
From: Sandy Harris <sandy@storm.ca>
Date: Mon, 13 Aug 2001 15:30:11 -0400
References: <000701c123ed$7b19e340$b70be982@andrewk3.ca.newbridge.com>
Sender: owner-ipsec@lists.tislabs.com

Andrew Krywaniuk wrote:

> >   No, the main purpose of quick mode was to be able to amortize the
> > cost of authentication over many SAs. Different SAs can be established
> > to protect different flows ...
> 
> And what is the purpose of having different SAs to protect different flows?
> (besides thwarting traffic analysis)

Far from thwarting traffic analysis, I think that makes it easier. Having 
multiple SAs between two gateways gives an analyst more data. He or she
can look at the data in the header that classifies packets by SA.

I discuss this in the FreeS/WAN documentation:
http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/ipsec.html#traffic.resist
Commemnt and criticism solicited.

What I suggest there is that to resist (not thwart!) traffic
analysis, you want at least:

	only one tunnel between a pair of hosts
	all IPSEC data goes down that tunnel
	any other traffic between the hosts goes down it too
	  (encrypt as much as you possibly can, not just what
	   you think you need to)

This still won't stop it completely. For that you'd need to insert dummy
traffic to confuse the analyst, and probably take other measures I haven't
thought of.

Follow-Ups:

RE: Simplifying IKE

From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

References:

RE: Simplifying IKE

From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>

Prev by Date: Re: SHA2 in AH/ESP
Next by Date: Re: draft-ietf-ipsec-udp-encaps-00: non-500 ESP encap, 32bits of , i-cookie=0
Prev by thread: RE: Simplifying IKE
Next by thread: RE: Simplifying IKE
Index(es):
- Main
- Thread