Re: threats ID

[Iljitsch van Beijnum <iljitsch@muada.com>]

On 20-jan-04, at 13:35, Masataka Ohta wrote:

> However, IP layer does not have any state of a connection,

That's not true. The routing table is state, as is per-destination path 
MTU information. I'm not even going to mention IPsec.

> because it is connectionless.

For a connection you need per-connection matching state in at least two 
places, the source and the destination. For IP you still need state, 
but it's per IP address or even per prefix, and it doesn't have to 
match on both ends. But it's still state.

> > In my opinion, many of the shim approaches
> > do create a kind of a new layer, say layer 3.5, which contains a 
> > per-host
> > state, potentially shared by multiple transport layer connections.

> All the shim layers are working at least at layer 4 that there
> is no point to say layer 3.5

I believe NOID and certainly ODT allow layer 4 to work without changes, 
and the changes they make to layer 3 are such that they can easily be 
thought of as a layer between 3 and 4, as those changes only apply to 
the endpoints and not to what happens in routers (ok, except for 
address rewriting). So "layer 3.5" makes sense to me.

BTW, my point about man in the middle was that an attacker can still do 
damage without having full man in the middle capabilities, for instance 
by intercepting packets and injecting falsified ones, without 
necessarily being able to stop the flow of traffic between the 
endpoints. This is important, because true man in the middle capability 
isn't something that is easily achieved, while "man on the sideline", 
where the attacker can observe data and inject his own, but not stop 
the real data from flowing, is fairly trivial to achieve in many 
situations.