|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] trust security claims of incoming packets?Most vendors of IPSec components that I have talked to do not verify, against their local policy database, if an inbound packet has claimed and been afforded the security processing that the local policy specifies. Doing this verification may, of course, introduce a performance bottleneck in the processing of unsecured packets which would be undesireable, as most users would expect performance not to degrade unless secured packets are being processed. If a packet arrives demanding security processing (e.g. has an ESP header) then, after processing, the local policy is inspected to confirm that the appropriate processing was applied but if the packet arrives unsecured all security processing is bypassed, trusting instead that the packet was indeed meant to be insecure. This method of handling unsecured packets goes against my interpretation of the IPSec specs and seems to be a security hole. What point am I missing that will mitigate my concern? Thanks. Vicente Cavanna Agilent Technologies
Home Last updated: Wed Oct 24 18:17:30 2001 7372 messages in chronological order |