[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
2401bis Issue # 75 -- TOS (now ECN) copying in tunnel mode
Folks,
Here's a description and proposed approach for:
IPsec Issue #: 75
Title: TOS (now DSCP and ECN) copying in tunnel mode
Description:
============
The issue was raised that a Trojan Horse "behind" the IPsec
implementation could use the TOS field to exfiltrate data.
Note: TOS octet (IPv4) and Traffic Class octet (IPv6) have been
replaced by the 6 bit Differentiated Services field (aka
Differentiated Services Codepoint (DSCP)) and the 2 bit Explicit
Congestion Notification field (ECN).
Proposed approach:
==================
2401bis will be modified with text along the lines of:
"An IPsec implementation MAY be configurable re: how it processes the
DSCP field for tunnel mode for transmitted packets. For outbound
traffic, one configuration setting will operate as described in the
section on IPv4 and IPv6 header processing for IPsec tunnels. Another
will allow the field to be mapped to a fixed value, which MAY be
configured on a per SA basis. (The value might really be fixed for
all traffic outbound from a device, but per SA granularity allows
that as well.) This configuration option allows a local
administrators to decide whether the covert channel provided by
copying these bits outweighs the benefits of copying.
Thank you,
Karen