[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SPD issues
Stephen Kent writes:
> If there is more than one SPD (per interface or whatever) and if the
> same destination is represented in more than one SPD, and if these
> entries offer different choices for the security services to be
> applied, where one of the choices may be less secure than the others,
> then you have a problem, period. This is because many factors could
> cause the traffic be be processed against the SPD that results in
> applying a less secure set of services, e.g., bypass. For example, a
> Trojan Horse in the net behind the IPsec device might deliberately
> alter packet headers in an effort to cause the traffic to be mapped
> to a different SPD. When we had per-interface SPDs, it was possible
> that traffic destined for one outbound interface (that was deemed
> secure) might be misrouted by the forwarding software after IPsec
> processing is completed. There are many other examples.
This actually brings one question I had earlier up. In IPv6 which
addresses is used when matching against SPD in case there are routing
headers in the packet? Final destination, next hop destination etc. I
think the current RFC does not say anything about those, and some
implementations might check only the routing header final destination
address and some might use the next hop destination.
--
kivinen@ssh.fi
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/