[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding& dummy packets



At 13:33 -0400 9/26/03, Michael Richardson wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>>>>>>  "Stephen" == Stephen Kent <kent@bbn.com> writes:
>     >> Unfortunately, they do not provide the required facilities to make
>     >> onion routing feasible with IPsec. (ZeroKnowledge experienced this
>     >> problem and did a proprietary system as a result)
>     >>
>     >> In onion routing, when you decapsulate a packet, finding another
>     >> encrypted packet inside (not addressed to you), you then need a way to
>     >> append padding to the resulting packet so that it stays the same size
>     >> as what was received.  Essentially, one needs to do this on the
>     >> *outside* of the packet.
>     >>
>     >> If ESP had a length at the beginning of the ciphertext instead of at
>     >> the end, then it would be trivial, but this isn't so. This is clearly
>     >> a wire format change, so it is no longer the ESP that we know.
>     >>
>     >> I don't expected ESPv3 to solve this, but it might be good to note
>     >> that it doesn't solve this problem.
>
>     Stephen> Your observation is correct re a specific way to effect TFC, but
>     Stephen> its not the only way.  An intermediate system could decapsulate
>     Stephen> and then pad the new, outbound packet to some fixed size, or
>     Stephen> some arbitrary size, rather than trying to preserve the (padded)
>     Stephen> size of the inbound packet.
>
>   How does it do this, unless it is encrypted again? 
>
>   Not all designs assume that there are tunnels between adjacent systems.
>There are performance vs accounting tradeoffs for each scenario.
>
>   You may have them *as well*, but that's not the point.
>

Michael,

Sorry, I misunderstood your example. But, I stand by my assertion 
that it is actually a questionable idea, from a TFC perspective, to 
try to make the outbound packet the same size as the inbound packet, 
in general. If different inbound packets arrive with different sizes, 
this just makes it easy for an observer to match inbound and outbound 
traffic through a router.

Steve