Re: Suggested modification to AES privacy draft

[Paul Koning <pkoning@equallogic.com>]

>>>>> "Derek" == Derek Atkins <warlord@mit.edu> writes:

 Derek> Scott Fluhrer <sfluhrer@cisco.com> writes:
 >> - Suppose the attacker (Eve) can send packets through the SA.
 >> This attacker may be a legitimate user that is not authorized to
 >> read all the traffic that is routed through the SA.

 Derek> [snip]

 >> I would claim that this attack on privacy is unacceptable, as none
 >> of the assumptions that this attack makes are about things that
 >> the security of IPSec should rely on.  Therefore, I claim that the
 >> common practice of reusing the previous ciphertext block (which
 >> allows this attack), or otherwise selecting IVs in a predictable
 >> manner, should be prohibited.

 Derek> If you make the first assumption, then Eve either: a) lives on
 Derek> the same host as Alice, or b) lives behind the same SG as
 Derek> Alice

 Derek> In the case of a, Eve clearly has root so can get any keying
 Derek> information they want.  In the case of b, Eve could just
 Derek> "tcpdump" on the unprotected link between Eve/Alice and the
 Derek> SG, so IPsec isn't going to protect it.

You missed a case, and you also overstated (b).

The missing case is a SG with more than one LAN coming out of it,
where Eve and Alice are on different ports.

Second, for (b), most LANs are largely or entirely switched LANs,
which means that Eve will be able to see few if any of the plaintext
packets from SG to Alice even if Alice and Eve are on the same
subnet. 

	paul