On Nov 13, 2009, at 12:16 AM, Stephen Kent wrote:
> My message pointed out that there was no mention of options, Your reply
> picked a couple of option examples and argued that they were either not used
> or did not pose a security problem.
>
> The right way to generate a god answer is to construct a table of all the
> options, and provide a rationale for why each one is not covered, deprecated,
> or not secruity relevant.
Divine guidance is, I suppose, one way to do protocol design, but it could lead
to *real* religious wars....
>
> Also, note that IPSO and CIPSO are examples of options that were discussed at
> the IPSECME meeting this week, where there is a need to bind the options to
> the payload. I observed that using tunnel mode (ESP) addresses this concern,
> but one could also note that using AH would do the same, with lower
> per-packet bandwidth overhead.
Or put the labels in the SA, since especially for IPSO you probably want
cryptographic separation of different security levels.
I did go through the analysis you suggest for IPv4 and concluded that nothing
was both protectable and useful. I also noted the following issue:
Furthermore, the AH spec says that we can't
enumerate the v4 options, and hence whether or not they should
be included or not -- but RFC1122 says that unknown IP options
MUST be silently ignored. So an implementation can receive an
option that it doesn't recognize, doesn't know if it changes
en route, must be ignored anyway -- but may or may not be included
in the AH calculation, and the receiver doesn't know.
Note, of course, that that was from 1995; I have not repeated the analysis for
newer AH or IPv6 specs.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
