[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: inbound vs outbound?



At 10:31 PM 9/3/01 , mahdavi@sepahan.iut.ac.ir wrote:
>Hi.
>You R right.
>But pay attention to this fact that RFC is for all Implmentations.
>Now just verify this pharase ( if it is correct, and if it is not tell me
>Y ).
>
>"IF a regular packet received by our router and it was not tunneld to this
>router it is enough to apply just outbound process. "
>
>If above sentence is not correct let me know. (think about a security
>gateway --in arouter)
That is not correct.  Again, RFC2401 states "The SPD must be consulted
during the processing of all traffic (INBOUND and OUTBOUND), including
non-IPsec traffic."  One of the things that sentence implies is that
all inbound non-ESP-for-us traffic must be checked against the SPD to
verify whether it should have been encrypted, and drop it if it should
have been.

Here is an attack that can happen if you don't follow this rule.  Suppose
that there is a packet that the attacker wants to inject into the system.
It might be, for example, a UDP packet that kicks off an RPC procedure on
the target system.  Since the attacker has access only to an section of
the cloud where all such packets are IPSec protected, he shouldn't be
able to do so.  However, with your proposed method, all the attacker
would have to do is inject the packet in the clear.  When this packet
hits the security gateway, he'll see that it didn't have the router as
the destination, and hence just forward it on, and hence, the attacker
has won.

>
>sincerely yours
>
>mahdavi
>
>>
>> In RFC2401's terminology,
>> an "inbound" packet means a packet received on an interface,
>> an "outbound" packet means a packet sent on an interface.
>>
>> I think you shouldn't use the terms "inbound" and "outbound" if you wish
>> to express another concept.
>>
>> RFC2401, paragraph 4.4, states that "The SPD must be consulted during
>> the processing of all traffic (INBOUND and OUTBOUND), including
>> non-IPsec traffic." and also "Thus the administrative interface must
>> allow the user (or system administrator) to specify the security
>> processing to be applied to any packet entering or exiting the system,
>> on a packet by packet basis."
>>
>> It results that the SPD is consulted twice for forwarded packets.
>>
>>
>> There are not necessarily two physically separate SPDs, but if you only
>> have one SPD, you should add the "direction (inbound/outbound)" info in
>> each entry.
>>
> 



Follow-Ups: References: