[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SPD issues
Folks
There may be some misunderstanding about what holes an SPD selection
function creates.
If there is more than one SPD (per interface or whatever) and if the
same destination is represented in more than one SPD, and if these
entries offer different choices for the security services to be
applied, where one of the choices may be less secure than the others,
then you have a problem, period. This is because many factors could
cause the traffic be be processed against the SPD that results in
applying a less secure set of services, e.g., bypass. For example, a
Trojan Horse in the net behind the IPsec device might deliberately
alter packet headers in an effort to cause the traffic to be mapped
to a different SPD. When we had per-interface SPDs, it was possible
that traffic destined for one outbound interface (that was deemed
secure) might be misrouted by the forwarding software after IPsec
processing is completed. There are many other examples.
The only way to be really confident about the security services being
provided for traffic is to have just one SPD, or to make sure that
the multiple SPDs are not overlapping in terms of the destination
addresses (for outbound traffic), or that the security services
offered in any overlapping entries are equivalent.
That's why I cannot get too excited about the residual
vulnerabilities associated with these options.
maybe we should taje a hint from the automotive industry and add the
following waring to the RFC:
"your actual security may vary" :-)
Steve