Re: SPD issues

[Stephen Kent <kent@bbn.com>]

Folks

There may be some misunderstanding about what holes an SPD selection 
function creates.

If there is more than one SPD (per interface or whatever) and if the 
same destination is represented in more than one SPD, and if these 
entries offer different choices for the security services to be 
applied, where one of the choices may be less secure than the others, 
then you have a problem, period.  This is because many factors could 
cause the traffic be be processed against the SPD that results in 
applying a less secure set of services, e.g., bypass. For example, a 
Trojan Horse in the net behind the IPsec device might deliberately 
alter packet headers in an effort to cause the traffic to be mapped 
to a different SPD. When we had per-interface SPDs, it was possible 
that traffic destined for one outbound interface (that was deemed 
secure) might be misrouted by the forwarding software after IPsec 
processing is completed. There are many other examples.

The only way to be really confident about the security services being 
provided for traffic is to have just one SPD, or to make sure that 
the multiple SPDs are not overlapping in terms of the destination 
addresses (for outbound traffic), or that the security services 
offered in any overlapping entries are equivalent.

That's why I cannot get too excited about the residual 
vulnerabilities associated with these options.

maybe we should taje a hint from the automotive industry and add the 
following waring to the RFC:

"your actual security may vary"  :-)

Steve