[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding& dummy packets

To: Tylor Allison <allison@securecomputing.com>
Subject: Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding& dummy packets
From: Karen Seo <kseo@bbn.com>
Date: Tue, 14 Oct 2003 03:32:38 -0400
Cc: ipsec mailingList <ipsec@lists.tislabs.com>, <byfraser@cisco.com>, <tytso@mit.edu>, "Angelos D. Keromytis" <angelos@cs.columbia.edu>, <kivinen@ssh.fi>
In-Reply-To: <Pine.GSO.4.33.0310020930440.24171-100000@gandalf.sctc.com>
References: <Pine.GSO.4.33.0310020930440.24171-100000@gandalf.sctc.com>
Sender: owner-ipsec@lists.tislabs.com

Hi Tylor,

>On Tue, 30 Sep 2003, Karen Seo wrote:
>
>>  Tylor,
>>
>>  Quoting some earlier text from Steve K....
>>
>>  "Dummy packets can be inserted at random intervals to mask the
>>  absence of actual traffic. One can also "shape" the actual traffic to
>>  match some distribution to which dummy traffic is added as dictated
>>  by the distribution parameters. As with the packet length padding
>>  facility for TFS, the most secure approach would be to generate dummy
>>  packets at whatever rate is needed to maintain a constant rate on an
>>  SA.  If packets are all the same size, then the SA presents the
>>  appearance of a constant bit rate data stream, analogous to what a
>>  link crypto would offer at layer 1/2.  However, this is unlikely to
>>  be practical in many contexts, e.g., when there are multiple SAs
>>  active, because it would imply reducing the allowed bandwidth for a
>>  site, based on the number of SAs, and that would undermine the
>>  benefits of packet switching.  How dummy packet insertion is handled
>>  SHOULD not be an implementation decision, however, but rather a
>>  parameter under control of the local administration."
>>
>>  We could amend the last sentence of the proposed text as follows
>>
>>  "For example, the controls might allow an administrator to generate
>>  random or fixed length dummy packets, or to pad real packets to
>>  random or fixed lengths, or to control the insertion timing of the
>>  dummy packets."
>>
>>  Would that address your concerns?
>>
>>  Thank you,
>>  Karen
>
>Could we not add something similar to Steve's text somewhere?  It gives
>justification and reasoning behind both the packet padding and dummy packet
>generation.  Perhaps this doesn't belong in the architecture document...
>but it would be nice to have somewhere.  Just reading through the ESPv3
>draft, you don't have enough info to implement, without making assumptions as
>to what is really wanted.
>
	I didn't see any further comments, so yes, I'll put this
	text in somewhere.

Thank you,
Karen

References:
- Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding &dummy packets
  - From: Tylor Allison <allison@securecomputing.com>

Prev by Date: Re: 2401bis issues (possible) resolution
Next by Date: Re: Issue #68: VPNs with overlapping IP address ranges (was Re:2401bis issues (possible) resolution)
Prev by thread: Re: 2401bis Issue # 76 -- More explanation re: ESPv3 TFC padding &dummy packets
Next by thread: Re: 2401bis Issue # 86 -- Add IPv6 mobility header message type asselector
Index(es):
- Date
- Thread