[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Modefg considered harmful

To: Bora Akyol <bora@cisco.com>
Subject: Re: Modefg considered harmful
From: Stephen Kent <kent@bbn.com>
Date: Tue, 4 Feb 2003 21:01:35 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <4.3.2.7.2.20030203173807.02162d28@mira-sjc5-9.cisco.com>
References: <Pine.LNX.4.44.0302011943080.9975-100000@internaut.com><Pine.LNX.4.44.0302011943080.9975-100000@internaut.com><4.3.2.7.2.20030203173807.02162d28@mira-sjc5-9.cisco.com>
Sender: owner-ipsec@lists.tislabs.com

At 5:41 PM -0800 2/3/03, Bora Akyol wrote:
>At 04:55 PM 2/3/2003 -0500, Stephen Kent wrote:
>>In 2401bis, we plan on de-coupling route selection from SA 
>>selection, by having an explicit lookup for routing performed prior 
>>to SA selection, and then passing along a virtual interface ID as 
>>part of the SA selection process.  This is something that was 
>>discussed among a set of folks interested in PPVPN and overlay nets 
>>over the last several months. If adopted, this would make it easier 
>>to accommodate the sort of full-fledged routing participation that 
>>you allude to.
>
>
>I fear that this is straying from the scope of the ipsec working 
>group to something much larger. As you point out there is no 
>infra-structure in the Internet to verify that either a route or its 
>advertiser are authentic. Specification of a virtual interface ID is 
>implementation specific.
>
>I want to understand more of the concern here. Is the concern that 
>ipsec SAs are being used to route traffic or due to the uncontrolled 
>routing, some packets that should be secured are going in the clear 
>due to the wrong interface selection?
>
>Can you please elaborate the reasoning behind this concern and verbiage?
>
>Thanks
>
>Bora

Bora,

IPsec provides access controls based on packet headers, primarily S/D 
IP addresses. If an IPsec implementation serves a single host, we can 
manage this well, i.e., we can appropriately configure the SPD to 
reflect the address of the host. If an IPsec gateway serves a subnet 
we can probably do an acceptable job as well. But, if people start 
thinking in terms of routing through a subnet protected with an IPsec 
security gateway, en route to some other subnet, this sort of transit 
traffic protection creates new requirements for secure management of 
the binding between an IPsec device and the addresses that it is 
authorized to represent. I agree that this is a bigger issue than 
IPsec, but we need to be cognizant of vulnerabilities that will 
result if we say that IPsec gateways can be used for this sort of 
transit traffic protection.  We need to advise potential users of the 
technology of these vulnerabilities, and suggest means by which the 
vulnerabilities can  be mitigated.

Steve

References:
- Re: Modefg considered harmful
  - From: Bora Akyol <bora@cisco.com>

Prev by Date: RE: new to VPN
Next by Date: RE: WG Last Call draft-ietf-ipsec-dpd-01.txt
Prev by thread: Re: Modefg considered harmful
Next by thread: RE: Modefg considered harmful
Index(es):
- Date
- Thread