[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection

To: Stephen Kent <kent@bbn.com>
Subject: Re: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection
From: Tero Kivinen <kivinen@iki.fi>
Date: Sat, 21 Feb 2004 00:02:38 +0200
Cc: ipsec@lists.tislabs.com
In-reply-to: <p06020402bc5bc994c9c5@[128.89.89.75]>
References: <E1Ala9O-000662-Pt@thunk.org><p0602040bbc3dec1164ce@[128.33.244.157]><20040130232243.GA6423@thunk.org><p06020400bc4410ee852a@[128.89.89.75]><16434.24291.254422.111128@fireball.acr.fi><p06020405bc5830a6f914@[128.89.89.75]><16438.75.875878.718798@fireball.acr.fi><p06020402bc5bc994c9c5@[128.89.89.75]>
Sender: owner-ipsec@lists.tislabs.com

Stephen Kent writes:
> >This kind of setup can be used for normal web-traffic etc, where you
> >actually do not normally need to create IPsec SAs, but if you happen
> >to have SA up, you can use it (it does not cause any harm either).
> 
> it makes behavior non-deterministic, which is generally a bad thing 
> from a security perspective.

In those cases the encryption is not for the real security, but simply
encryption just because it is fun, and it will cause more traffic in
the net to be encrypted, making large scale traffic analysis harder. 

> >Might be true, but there are implemenations which support this kind of
> >operations.
> 
> Then they are non-complaint.

Does the RFC2401 really say, that you cannot expand the SPD at all,
and all implementations MUST only support what is defined there. I
thought that it specified mostly the minimum requirements not exact
requirements what can and cannot be implemented (i.e. I would not call
those extended versions non-complaint, I would call them IPsec +
extensions versions :-).
-- 
kivinen@safenet-inc.com

Follow-Ups:
- Re: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: Issue #83: Generation of ICMP responses for inbound packetrequiring IPSEC protection
  - From: Stephen Kent <kent@bbn.com>
- Re: Issue #83: Generation of ICMP responses for inbound packetrequiring IPSEC protection
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Next by Date: Re: SAs that carry fragments Was: Re: Some IKEv2 issues
Previous by thread: Re: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection
Next by thread: Re: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection
Index(es):
- Date
- Thread