[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection

To: Tero Kivinen <kivinen@iki.fi>
Subject: Re: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection
From: Stephen Kent <kent@bbn.com>
Date: Mon, 23 Feb 2004 11:22:53 -0500
Cc: ipsec@lists.tislabs.com
In-reply-to: <16438.33790.277777.604567@fireball.acr.fi>
References: <E1Ala9O-000662-Pt@thunk.org><p0602040bbc3dec1164ce@[128.33.244.157]><20040130232243.GA6423@thunk.org> <p06020400bc4410ee852a@[128.89.89.75]><16434.24291.254422.111128@fireball.acr.fi><p06020405bc5830a6f914@[128.89.89.75]><16438.75.875878.718798@fireball.acr.fi><p06020402bc5bc994c9c5@[128.89.89.75]><16438.33790.277777.604567@fireball.acr.fi>
Sender: owner-ipsec@lists.tislabs.com

At 0:02 +0200 2/21/04, Tero Kivinen wrote:
>Stephen Kent writes:
>>  >This kind of setup can be used for normal web-traffic etc, where you
>>  >actually do not normally need to create IPsec SAs, but if you happen
>>  >to have SA up, you can use it (it does not cause any harm either).
>>
>>  it makes behavior non-deterministic, which is generally a bad thing
>>  from a security perspective.
>
>In those cases the encryption is not for the real security, but simply
>encryption just because it is fun, and it will cause more traffic in
>the net to be encrypted, making large scale traffic analysis harder.

this is a commonly cited notion, but there are analysis techniques 
that show that the notion is not valid in most cases :-)

>  > >Might be true, but there are implemenations which support this kind of
>>  >operations.
>>
>>  Then they are non-complaint.
>
>Does the RFC2401 really say, that you cannot expand the SPD at all,
>and all implementations MUST only support what is defined there. I
>thought that it specified mostly the minimum requirements not exact
>requirements what can and cannot be implemented (i.e. I would not call
>those extended versions non-complaint, I would call them IPsec +
>extensions versions :-).

we agree that 2401 specifies a minimum access control capability, but 
we may disagree about whether a non-deterministic SPD function 
represents an enhancement or a regression :-)

Steve

References:
- Re: Issue #83: Generation of ICMP responses for inbound packetrequiring IPSEC protection
  - From: Stephen Kent <kent@bbn.com>
- Re: Issue #83: Generation of ICMP responses for inbound packetrequiring IPSEC protection
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection
  - From: Tero Kivinen <kivinen@iki.fi>
- Re: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection
  - From: Stephen Kent <kent@bbn.com>
- Re: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection
  - From: Tero Kivinen <kivinen@iki.fi>

Prev by Date: Re: Fwd: Certicom IP Rights
Next by Date: [no subject]
Previous by thread: Re: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection
Next by thread: RE: IANA document
Index(es):
- Date
- Thread