[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: An architectural draft

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: An architectural draft
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date: Thu, 29 May 2003 14:20:51 +0859 ()
Cc: multi6@ops.ietf.org
In-reply-to: <69A25524-911B-11D7-9944-00039388672E@muada.com> from Iljitsch vanBeijnum at "May 28, 2003 04:48:15 pm"

Iljitsch;

> >>>   AH is
> >>>   forbidden because its functionality overridden by ESP and its SPI 
> >>> is
> >>>   not located at port number part.
> 
> >> If my understanding is correct, integrity check including IP header
> >> cannot be done with ESP.  AH can do that.
> 
> > First, which part of IP header, do you want to check the integrity?
> 
> The source address is something I'd really like to check.

You don't.

If payload passes authentication check, the payload is considered
to be reliable regardless of the source address.

> When I get around to it, I plan to write a draft about how ISPs can do 
> proxy IPsec AH processing for their customers to eliminate denial of 
> service traffic.

It is an utter violation of the end to end principle and assured
not to scale, which, for example, means poor performance.

In this case, a proxy box of an ISP is an easy victim of the DoS
attack.

The protection against DoS is to let distribute the load to end
systems of ISP's customers.

> > Once a host receives a packet and delivers it to some application
> > using SPI (which is why SPI is equivalent to port information), no
> > information in IP header is no longer necessary and it is too
> > late to check integrity of information in IP header.
> 
> That's why we do AH first and reject the packet if it doesn't check 
> out. Applications are not involved in IPsec, that's the whole point. 
> Otherwise you could just as well use TLS.

I'm afraid you are assuming authentication check by ESP is much
slower than that by AH.

It is true that, in general, encryption/decryption is a little bit
slower than authentication check.

So, you don't gain so much, even if authentication by ESP is as slow
as decryption.

Moreover, it is possible to have an ESP transform which first performs
authentication check and, only if the check is successful, decryption
(or do nothing, if encryption is not necessary) that there is no
difference.

Note that, by trying to protect things which do not have to be
protected, you can have an unmanagably complex multi6 solution.

							Masataka Ohta

References:
- Re: An architectural draft
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: proxy AH (was: An architectural draft)
Next by Date: Re: proxy AH (was: An architectural draft)
Previous by thread: Simple Internet and The End to End Principle
Next by thread: RE: An architectural draft
Index(es):
- Date
- Thread