[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic selectors, fragments, ICMP messages and security policy problems

To: kent@bbn.com
Subject: Re: Traffic selectors, fragments, ICMP messages and security policy problems
From: Paul Koning <pkoning@equallogic.com>
Date: Thu, 26 Feb 2004 09:19:41 -0500
Cc: ipsec@lists.tislabs.com
References: <Your message of "Tue, 24 Feb 2004 17:44:50 EST."<5.2.0.9.0.20040224173754.0290be48@email><5.2.0.9.0.20040225161626.020c34e0@email><p06020403bc62ec382f90@[10.1.187.100]>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "Stephen" == Stephen Kent <kent@bbn.com> writes:

 Stephen> I'll mention my example, again, as to why port fields are
 Stephen> appropriate, and add a n ote on performance:

 Stephen> - by restricting access via an SA to a well known set of
 Stephen> ports, relative to a specific address or set of addresses,
 Stephen> one can reduce opportunities for attacks against the hosts
 Stephen> or servers. think of this as a way to close off access to
 Stephen> inappropriate ports, and to prevent malicious software that
 Stephen> may have taken over a machine from being able to use that
 Stephen> machine to launch attacks against other machines, at least
 Stephen> for some classes of attacks. the worm that attacked IIS and
 Stephen> spear via e-mail from web servers was the example I cited
 Stephen> earlier.

 Stephen> As for high speed, I concur with Mark.  For my DoD clients,
 Stephen> the intent is to be able to take advantage of these access
 Stephen> control facilities over a wide performance range, not to
 Stephen> have to tradeoff access control features vs. interface
 Stephen> speeds.

I think Mark argued some in both direction (i.e., port selection as a
workaround for poor crypto performance), but I agree with your view.
If a feature is useful, it should be implementable at good
performance.

My suspicion is that some of the argument is coming from the
commercial marketplace.  IPSec is hard enough to manage that the added
complexity of port selector setup is going to be adopted only when
there is a strong need for it.  In environments where I have worked
(which were commercial networks), that wasn't the case, but I can see
your argument that there are others (such as DoD) where it definitely
is.

So where are we with Tero's previous analysis, which shows that port
selection in the presence of fragmentation can only be done correctly
if you keep cross-fragment state in the SG, i.e., it is expensive at
high speed?

It sounds to me like we have a case of (a) fast and efficient, (b)
support fragments, (c) support port selectors -- pick any TWO.

	paul

Follow-Ups:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Mark Duffy <mduffy@quarrytech.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Stephen Kent <kent@bbn.com>

References:
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Mark Duffy <mduffy@quarrytech.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Mark Duffy <mduffy@quarrytech.com>
- Re: Traffic selectors, fragments, ICMP messages and security policy problems
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Next by Date: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Previous by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Next by thread: Re: Traffic selectors, fragments, ICMP messages and security policy problems
Index(es):
- Date
- Thread