RE: trust security claims of incoming packets?

To: "CAVANNA,VICENTE V \(A-Roseville,ex1\)" <vince_cavanna@agilent.com>, <ips@ece.cmu.edu>
Subject: RE: trust security claims of incoming packets?
From: "Bill Strahm" <bill@sanera.net>
Date: Wed, 24 Oct 2001 14:50:10 -0700
Cc: "SHEEHY,DAVE \(A-Americas,unix1\)" <dave_sheehy@agilent.com>, "ALBERTSON,LYLE \(A-PaloAlto,ex1\)" <lyle_albertson@agilent.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;charset="iso-8859-1"
Importance: Normal
In-Reply-To: <01A7DAF31F93D511AEE300D0B706ED920CF65C@axcs13.cos.agilent.com>
Sender: owner-ips@ece.cmu.edu

I can't vouch for other implelmentors, but the implementation I worked on
checked... It is required in the specification.  This basically turned into
a single look into a hash table... not a huge overhead... some, but not
much, and we were able to get darned close to theoretical wire speed at
100Mbps full duplex...  I know that some vendors did not check after ESP
processing if the packet should have been covered by the negotiated SA...
We didn't initially, we did in a second version that never made it to market
(to my knowledge)

I'd like to know what vendors you talk to that don't follow the standard, I
can actually see many VPN vendors not doing this, because they will turn
around and drop all clear packets anyway...

Bill
+========+=========+=========+=========+=========+=========+=========+
Bill Strahm     Software Development is a race between Programmers
Member of the   trying to build bigger and better idiot proof software
Technical Staff and the Universe trying to produce bigger and better
bill@sanera.net idiots.
(503) 601-0263  So far the Universe is winning --- Rich Cook

-----Original Message-----
From: owner-ips@ece.cmu.edu [mailto:owner-ips@ece.cmu.edu]On Behalf Of
CAVANNA,VICENTE V (A-Roseville,ex1)
Sent: Wednesday, October 24, 2001 1:46 PM
To: 'ips@ece.cmu.edu'
Cc: CAVANNA,VICENTE V (A-Roseville,ex1); SHEEHY,DAVE (A-Americas,unix1);
ALBERTSON,LYLE (A-PaloAlto,ex1)
Subject: trust security claims of incoming packets?


Most vendors of IPSec components that I have talked to do not verify,
against their local policy database, if an inbound packet has claimed and
been afforded the security processing that the local policy specifies. Doing
this verification may, of course, introduce a performance bottleneck in the
processing of unsecured packets which would be undesireable, as most users
would expect performance not to degrade unless secured packets are being
processed.

If a packet arrives demanding security processing (e.g. has an ESP header)
then, after processing, the local policy is inspected to confirm that the
appropriate processing was applied  but if the packet arrives unsecured  all
security processing is bypassed, trusting instead that the packet was indeed
meant to be insecure.

This method of handling unsecured packets goes against my interpretation of
the IPSec specs and seems to be a security hole.

What point am I missing that will mitigate my concern?

Thanks.

Vicente Cavanna
Agilent Technologies

References:
- trust security claims of incoming packets?
  - From: "CAVANNA,VICENTE V (A-Roseville,ex1)" <vince_cavanna@agilent.com>

Prev by Date: FCIP: NAPTs Solution Proposal (issue from Irvine, CA Interim meeting)
Next by Date: re: iSCSI minimum PDU length
Prev by thread: trust security claims of incoming packets?
Next by thread: RE: trust security claims of incoming packets?
Index(es):
- Date
- Thread

Home

Last updated: Thu Oct 25 13:17:31 2001
7394 messages in chronological order