Re: visibility of identifier in shim6 payload packet (was: Re: IPsec !?...)

[Iljitsch van Beijnum <iljitsch@muada.com>]

[Does anyone know what has happened to the mailinglist? I only got  
one message after wednesday and I posted three. I mailed Geoff and  
Kurtis but to no avail.]

On 6-aug-2006, at 9:36, marcelo bagnulo braun wrote:

> > So basically this means that IF a host with bump-in-the-wire IPsec  
> > support MUST implement the shim in the BITW module and the host  
> > itself MUST NOT do shim6?

> well i would rephrase it a bit differently

> a host may have different shim6 and IPSec implementations, native  
> and BITW
> If the host is using BITW IPSEc , then if it wants to implement the  
> shim, it must use the BITW shim implementation...

Right. I would like to express this as "if a host has BITW IPsec, the  
host itself MUST NOT perform shim6 processing" so that if the host  
does shim6, this happens at or after the BITW module.

> > The second option isn't an option because information in the  
> > packet can't be trusted.

> why not?

Because I can make a packet that has my return address but has  
marcelo@it.uc3m.es in the additional ULID field. This means that  
demultiplexing the packet on this field without additional security  
checks allows attackers to inject packets. Additional checks means  
state and if we have state anyway, being able to look up the context  
ID or other demux info is not a big deal so there is no reason to  
have a ULID field.

(Yes, this means that MIPv6 got it wrong.)