[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [IPSECKEY] Security Considerations (pass 2)



At Fri, 23 May 2003 12:38:27 +0200, Jean-Jacques Puig wrote:
> 
> In the context of active attack, I agree on a MUST, but how the
> implementation would know in which context it is ? Is it a choice from
> the administrator ?

In my opinion, the answer to this is "yes" (that is, I think that the
decision on whether to worry about active attacks is administrative,
and takes place on the client side).  It might be appropriate for us
to say that the default (for clueless administrators) must be to worry
about active attacks, but I think that Hugh has made a decent case for
why an implementor might chose to provide a way for consenting adults
to chose not to worry about active attacks.

> In an environment in which active attacks are likely to happen, both key
> information and gateway option are extremely vulnerable without the
> use of end-to-end integrity protection. Thus, in such an environment,
> the dns client MUST refuse any gateway field different from the RR owner
> name. Note that this implies coherence of types between RR owner name
> and gateway field (both IPv4 or both FQDN or both IPv6 etc), thus the
> use of self "." is recommanded for ease of use.

Yeah, I was wondering if I should have punted the stuff about the RR
owner name matching the gateway field and just said that a client
which has to worry about active attacks on the DNS data MUST NOT trust
IPSECKEY records with a non-zero gateway type field.
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.