[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding & dummy packets

To: ipsec mailingList <ipsec@lists.tislabs.com>
Subject: Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding & dummy packets
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Thu, 25 Sep 2003 18:29:11 -0400
In-reply-to: Your message of "Thu, 25 Sep 2003 17:17:42 EDT." <p05200f4ebb98c3dc5fd2@[128.89.89.115]>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Karen" == Karen Seo <kseo@bbn.com> writes:
    Karen> "ESPv3 provides a facility to allow an arbitrary amount of padding
    Karen> to be appended to a packet, for traffic flow confidentiality, as
    Karen> well as a facility for efficient generation and discarding of
    Karen> "dummy" packets. Implementations SHOULD provide local management
    Karen> controls to enable the use of these capabilities on a per SA

  Unfortunately, they do not provide the required facilities to make onion
routing feasible with IPsec. (ZeroKnowledge experienced this problem and 
did a proprietary system as a result)

  In onion routing, when you decapsulate a packet, finding another encrypted
packet inside (not addressed to you), you then need a way to append padding
to the resulting packet so that it stays the same size as what was received.
  Essentially, one needs to do this on the *outside* of the packet. 

  If ESP had a length at the beginning of the ciphertext instead of at the
end, then it would be trivial, but this isn't so. This is clearly a wire
format change, so it is no longer the ESP that we know.

  I don't expected ESPv3 to solve this, but it might be good to note that
it doesn't solve this problem.

] Train travel features AC outlets with no take-off restrictions|  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [

  
  

  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP3NsNoqHRg3pndX9AQEbHgP/SyZBUn2qVWZY09dN0z6GIwBlWuGPK0jM
ytGrvxWaBNruJ0pNt3f2pcg6r+6dw7B+nTQ1tT6kI3E/WJAPPXsmmiIDoPGxCEK6
T68TfxB8GzXL9qlP1hqS4b6dx4xcFhh7GtzFEG9g2IDFKiA9hXgNZXoiIFVyWxFC
dr/gEvQ9TTk=
=V7d9
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding& dummy packets
  - From: Stephen Kent <kent@bbn.com>

References:
- 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding &dummy packets
  - From: Karen Seo <kseo@bbn.com>

Prev by Date: 2401bis Issue # 77 -- Should AH be mandatory?
Next by Date: Re: 2401bis Issue # 77 -- Should AH be mandatory?
Prev by thread: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding &dummy packets
Next by thread: Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding& dummy packets
Index(es):
- Date
- Thread