[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Simplifying IKE

To: "Dilkie, Lee" <Lee_Dilkie@mitel.com>, "'andrew.krywaniuk@alcatel.com'" <andrew.krywaniuk@alcatel.com>, "'Sandy Harris'" <sandy@storm.ca>, ipsec@lists.tislabs.com
Subject: RE: Simplifying IKE
From: Scott Fluhrer <sfluhrer@cisco.com>
Date: Tue, 14 Aug 2001 08:02:13 -0700
Cc: dharkins@lounge.org, Joel.Snyder@Opus1.COM
In-Reply-To: <9D6A470BD38ED311908000805F65B4EC054AF990@rndex50.ottawa.mitel.com>
Sender: owner-ipsec@lists.tislabs.com

At 06:49 AM 8/14/01 , Dilkie, Lee wrote:
>> Imagine that an attacker can generate traffic on flow A 
>> behind a gateway and
>> read the encrypted traffic on the Internet; he now has the 
>> possibility of
>> doing a chosen-plaintext attack. If the gateway sends traffic across
>> multiple SAs, then cryptanalysis of the output stream for 
>> flow A will only
>> allow the attacker to crack the key for SA_A (which only 
>> protects traffic
>> which was generated by the attacker).
>> 
>> Andrew
>
>I'm thinking that an attacker with access to the plaintext side of an IPsec gateway already has far easier attacks than sending a trillion plaintext packets (which I'm sure will go un-noticed) through the gateway and doing an analysis on the results.

Perhaps not.  Maybe the attacker is a legitimate user who is authorized
to send traffic via the encrypted connection, but cannot listen in on
traffic from other authorized users.  In that case, the attack scenario
is perfectly valid.  Of course, the real solution to this attack is to
use an encryption algorithm that is secure against a chosen plaintext
attack.  Since that is an attack model used to analyze ciphers, that is
practical.

>
>I think the point is being missed here. It's the complexity of trying to deal with *every* possible security attack that has led to the current mess. It is just not practical to have the IP layer fully responsible for *all* security. Decide what you can do to protect the privacy of communications in a *reasonable* enviroment. Let the upper, application, layer add it's own authentication (and encryption as well if necessary) because that's where those decisions make more sense. Treat security like the onion, as it's supposed to be treated. It's not a failure to punt the problem and say "look, solving that attack is the responsibility of the application, if the consequences are that severe, then the application needs to be secure as well". Think of IPsec as the default "freebee" security that is inherent in the system, if an application needs more, then let them add more.

Actually, (IMHO) it wasn't the huge number of security attacks which
lead to the complexity -- it was the large number of requirements.
Why isn't main mode acceptable for everything?  Well, because some
people are concerned (rightly or wrongly) about the additional
messages.  Why do we have both AH and ESP authentication transforms?
Because AH is needed in some case (so I have heard it claimed), and
will not work in others (e.g. when NAT is involved).  Why do we have
the ESP-NULL "encryption" transform?  Certainly not to prevent an
attack on security.

>
>My 2 cents worth, I now return you to your previous programming.
>
>Lee Dilkie
>
>Mitel Networks
>350 Legget Drive
>Kanata, ON, Canada
>K2K 2W7
>
>Phone: 1-613-592-5660
>
>"It wasn't easy to juggle a pregnant wife and a troubled child, but somehow I managed to fit in eight hours of TV a day."
>     - Homer Simpson (from "The Simpsons")
>

References:

RE: Simplifying IKE

From: "Dilkie, Lee" <Lee_Dilkie@mitel.com>

Prev by Date: Re: having and eating cake? agressive mode with identity hiding
Next by Date: Re: having and eating cake? agressive mode with identity hiding
Prev by thread: RE: Simplifying IKE
Next by thread: RE: Simplifying IKE
Index(es):
- Main
- Thread