[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issue #83: Generation of ICMP responses for inbound packet requiring IPSEC protection
At 0:02 +0200 2/21/04, Tero Kivinen wrote:
>Stephen Kent writes:
>> >This kind of setup can be used for normal web-traffic etc, where you
>> >actually do not normally need to create IPsec SAs, but if you happen
>> >to have SA up, you can use it (it does not cause any harm either).
>>
>> it makes behavior non-deterministic, which is generally a bad thing
>> from a security perspective.
>
>In those cases the encryption is not for the real security, but simply
>encryption just because it is fun, and it will cause more traffic in
>the net to be encrypted, making large scale traffic analysis harder.
this is a commonly cited notion, but there are analysis techniques
that show that the notion is not valid in most cases :-)
> > >Might be true, but there are implemenations which support this kind of
>> >operations.
>>
>> Then they are non-complaint.
>
>Does the RFC2401 really say, that you cannot expand the SPD at all,
>and all implementations MUST only support what is defined there. I
>thought that it specified mostly the minimum requirements not exact
>requirements what can and cannot be implemented (i.e. I would not call
>those extended versions non-complaint, I would call them IPsec +
>extensions versions :-).
we agree that 2401 specifies a minimum access control capability, but
we may disagree about whether a non-deterministic SPD function
represents an enhancement or a regression :-)
Steve