[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding& dummy packets
Tylor,
Quoting some earlier text from Steve K....
"Dummy packets can be inserted at random intervals to mask the
absence of actual traffic. One can also "shape" the actual traffic to
match some distribution to which dummy traffic is added as dictated
by the distribution parameters. As with the packet length padding
facility for TFS, the most secure approach would be to generate dummy
packets at whatever rate is needed to maintain a constant rate on an
SA. If packets are all the same size, then the SA presents the
appearance of a constant bit rate data stream, analogous to what a
link crypto would offer at layer 1/2. However, this is unlikely to
be practical in many contexts, e.g., when there are multiple SAs
active, because it would imply reducing the allowed bandwidth for a
site, based on the number of SAs, and that would undermine the
benefits of packet switching. How dummy packet insertion is handled
SHOULD not be an implementation decision, however, but rather a
parameter under control of the local administration."
We could amend the last sentence of the proposed text as follows
"For example, the controls might allow an administrator to generate
random or fixed length dummy packets, or to pad real packets to
random or fixed lengths, or to control the insertion timing of the
dummy packets."
Would that address your concerns?
Thank you,
Karen
>On Thu, 25 Sep 2003, Karen Seo wrote:
>
>> Folks,
>>
>> Here's a description and proposed approach for:
>>
>> IPsec Issue #: 76
>>
>> Title: More explanation re: ESPv3 TFC padding & dummy packets
>>
>> Description:
>> ============
>> Questions have been raised re: how much padding one should add and
>> re: generation and discarding of dummy packets. Should we add text
>> explaining more about these topics?
>>
>>
>> Proposed approach:
>> ==================
>> 2401bis will be modified with text along the lines of:
>>
>> "ESPv3 provides a facility to allow an arbitrary amount of padding to
>> be appended to a packet, for traffic flow confidentiality, as well as
>> a facility for efficient generation and discarding of "dummy"
>> packets. Implementations SHOULD provide local management controls to
>> enable the use of these capabilities on a per SA basis. The controls
>> should specify which (if any) TFC features are to be employed, and
> > provide parametric controls for the features. For example, the
>> controls might allow an administrator to generate random or fixed
>> length dummy packets and to pad real packets to random or fixed
> > lengths."
>>
>> Thank you,
>> Karen
>
>What about how often these dummy packets get sent, and the latency between
>dummy packets. Should this be a random stream or a fixed bandwidth stream?
>Should the dummy data rate be configurable by the administrator?
>
>--------------------------------------------------------------------------------
>Tylor Allison
>Principal Engineer
>
>Secure Computing®
>Protecting the world's most important networks (TM)
>www.securecomputing.com
>NASDAQ: SCUR
>
>tylor_allison@securecomputing.com
>--------------------------------------------------------------------------------