[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding &dummy packets



On Tue, 30 Sep 2003, Karen Seo wrote:

> Tylor,
>
> Quoting some earlier text from Steve K....
>
> "Dummy packets can be inserted at random intervals to mask the
> absence of actual traffic. One can also "shape" the actual traffic to
> match some distribution to which dummy traffic is added as dictated
> by the distribution parameters. As with the packet length padding
> facility for TFS, the most secure approach would be to generate dummy
> packets at whatever rate is needed to maintain a constant rate on an
> SA.  If packets are all the same size, then the SA presents the
> appearance of a constant bit rate data stream, analogous to what a
> link crypto would offer at layer 1/2.  However, this is unlikely to
> be practical in many contexts, e.g., when there are multiple SAs
> active, because it would imply reducing the allowed bandwidth for a
> site, based on the number of SAs, and that would undermine the
> benefits of packet switching.  How dummy packet insertion is handled
> SHOULD not be an implementation decision, however, but rather a
> parameter under control of the local administration."
>
> We could amend the last sentence of the proposed text as follows
>
> "For example, the controls might allow an administrator to generate
> random or fixed length dummy packets, or to pad real packets to
> random or fixed lengths, or to control the insertion timing of the
> dummy packets."
>
> Would that address your concerns?
>
> Thank you,
> Karen

Could we not add something similar to Steve's text somewhere?  It gives
justification and reasoning behind both the packet padding and dummy packet
generation.  Perhaps this doesn't belong in the architecture document...
but it would be nice to have somewhere.  Just reading through the ESPv3
draft, you don't have enough info to implement, without making assumptions as
to what is really wanted.

--------------------------------------------------------------------------------
Tylor Allison
Principal Engineer

Secure Computing®
Protecting the world's most important networks (TM)
www.securecomputing.com
NASDAQ: SCUR

tylor_allison@securecomputing.com
--------------------------------------------------------------------------------