[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Traffic selectors, fragments, ICMP messages and security policy problems
> From: Stephen Kent <kent@bbn.com>
> >Yes, but at least my current implementation rejects packets that are
> >protected validly with ESP or AH, but policy calls for no protection
> >(or if policy calls for different protection).
>
> that's an interesting "feature." I can understand why you might
> choose to do that, e.g., for fault detection and isolation, but I'm
> not sure it is needed from a security perspective.
This "feature" may have real uses. The following example is a bit
artificial, but it may serve for now:
A mobile node M is talking to a server S, hosting some database
application. S is behind a normal Firewall (FW), which the admins
configure to pass IPSEC traffic to S, knowing it only *accepts* and
requires the database traffic to be protected.
M <============ FW ====== DataBaseAccess ===> S
S is also hosting other services (WEB, SMTP, etc), which are used in
clear and it is assumed that the FW filters dangerous stuff from
clear traffic.
If M gets infected with something, M could quite easily send some
harmful stuff using the Database IPSEC connection, if S accepts
anything else that just happens to be validly protected by the IPSEC.