[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Traffic selectors, fragments, ICMP messages and security policy problems
>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes:
Stephen> I'll mention my example, again, as to why port fields are
Stephen> appropriate, and add a n ote on performance:
Stephen> - by restricting access via an SA to a well known set of
Stephen> ports, relative to a specific address or set of addresses,
Stephen> one can reduce opportunities for attacks against the hosts
Stephen> or servers. think of this as a way to close off access to
Stephen> inappropriate ports, and to prevent malicious software that
Stephen> may have taken over a machine from being able to use that
Stephen> machine to launch attacks against other machines, at least
Stephen> for some classes of attacks. the worm that attacked IIS and
Stephen> spear via e-mail from web servers was the example I cited
Stephen> earlier.
Stephen> As for high speed, I concur with Mark. For my DoD clients,
Stephen> the intent is to be able to take advantage of these access
Stephen> control facilities over a wide performance range, not to
Stephen> have to tradeoff access control features vs. interface
Stephen> speeds.
I think Mark argued some in both direction (i.e., port selection as a
workaround for poor crypto performance), but I agree with your view.
If a feature is useful, it should be implementable at good
performance.
My suspicion is that some of the argument is coming from the
commercial marketplace. IPSec is hard enough to manage that the added
complexity of port selector setup is going to be adopted only when
there is a strong need for it. In environments where I have worked
(which were commercial networks), that wasn't the case, but I can see
your argument that there are others (such as DoD) where it definitely
is.
So where are we with Tero's previous analysis, which shows that port
selection in the presence of fragmentation can only be done correctly
if you keep cross-fragment state in the SG, i.e., it is expensive at
high speed?
It sounds to me like we have a case of (a) fast and efficient, (b)
support fragments, (c) support port selectors -- pick any TWO.
paul