[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding & dummy packets

To: ipsec mailingList <ipsec@lists.tislabs.com>
Subject: Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding & dummy packets
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Fri, 26 Sep 2003 13:33:38 -0400
In-reply-to: Your message of "Fri, 26 Sep 2003 09:45:24 EDT." <p06002002bb99f2a4a7e9@[128.89.89.40]>
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes:
    >> Unfortunately, they do not provide the required facilities to make
    >> onion routing feasible with IPsec. (ZeroKnowledge experienced this
    >> problem and did a proprietary system as a result)
    >> 
    >> In onion routing, when you decapsulate a packet, finding another
    >> encrypted packet inside (not addressed to you), you then need a way to
    >> append padding to the resulting packet so that it stays the same size
    >> as what was received.  Essentially, one needs to do this on the
    >> *outside* of the packet.
    >> 
    >> If ESP had a length at the beginning of the ciphertext instead of at
    >> the end, then it would be trivial, but this isn't so. This is clearly
    >> a wire format change, so it is no longer the ESP that we know.
    >> 
    >> I don't expected ESPv3 to solve this, but it might be good to note
    >> that it doesn't solve this problem.

    Stephen> Your observation is correct re a specific way to effect TFC, but
    Stephen> its not the only way.  An intermediate system could decapsulate
    Stephen> and then pad the new, outbound packet to some fixed size, or
    Stephen> some arbitrary size, rather than trying to preserve the (padded)
    Stephen> size of the inbound packet.

  How does it do this, unless it is encrypted again?  

  Not all designs assume that there are tunnels between adjacent systems.
There are performance vs accounting tradeoffs for each scenario. 

  You may have them *as well*, but that's not the point.

] Train travel features AC outlets with no take-off restrictions|  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian/notebook using, kernel hacking, security guy");  [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys - custom hacks make this fully PGP2 compat

iQCVAwUBP3R4cYqHRg3pndX9AQF0VwQA6pJIT4lpqAJZZILvauwXQ54YNQ9bh4Oz
sanv0r5J4ZOX8aBZMSrojrMoBNZYAG13d6P6xjVJrLJvyQ0iUMrYZhAhcaLkAEkq
/f97VOpK20N0/NA+iiMGRpv5ZHXcQWmeTsL1HUpdMxPL42Oi1dLLWOBRjj+SAiEp
VZY2TpRxK58=
=Y14X
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding& dummy packets
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding& dummy packets
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding& dummy packets
Next by Date: Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding& dummy packets
Prev by thread: Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding& dummy packets
Next by thread: Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding& dummy packets
Index(es):
- Date
- Thread