[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Traffic selectors, fragments, ICMP messages and security policy problems




> From: Stephen Kent <kent@bbn.com>

> >Yes, but at least my current implementation rejects packets that are
> >protected validly with ESP or AH, but policy calls for no protection
> >(or if policy calls for different protection).
> 
> that's an interesting "feature." I can understand why you might 
> choose to do that, e.g., for fault detection and isolation, but I'm 
> not sure it is needed from a security perspective.

This "feature" may have real uses. The following example is a bit
artificial, but it may serve for now:

 A mobile node M is talking to a server S, hosting some database
 application. S is behind a normal Firewall (FW), which the admins
 configure to pass IPSEC traffic to S, knowing it only *accepts* and
 requires the database traffic to be protected.

 M <============ FW ====== DataBaseAccess ===> S

 S is also hosting other services (WEB, SMTP, etc), which are used in
 clear and it is assumed that the FW filters dangerous stuff from
 clear traffic.

 If M gets infected with something, M could quite easily send some
 harmful stuff using the Database IPSEC connection, if S accepts
 anything else that just happens to be validly protected by the IPSEC.