[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPD issues



Stephen Kent writes:
> If there is more than one SPD (per interface or whatever) and if the 
> same destination is represented in more than one SPD, and if these 
> entries offer different choices for the security services to be 
> applied, where one of the choices may be less secure than the others, 
> then you have a problem, period.  This is because many factors could 
> cause the traffic be be processed against the SPD that results in 
> applying a less secure set of services, e.g., bypass. For example, a 
> Trojan Horse in the net behind the IPsec device might deliberately 
> alter packet headers in an effort to cause the traffic to be mapped 
> to a different SPD. When we had per-interface SPDs, it was possible 
> that traffic destined for one outbound interface (that was deemed 
> secure) might be misrouted by the forwarding software after IPsec 
> processing is completed. There are many other examples.

This actually brings one question I had earlier up. In IPv6 which
addresses is used when matching against SPD in case there are routing
headers in the packet? Final destination, next hop destination etc. I
think the current RFC does not say anything about those, and some
implementations might check only the routing header final destination
address and some might use the next hop destination. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/