[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec thing with REAP

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: IPsec thing with REAP
From: Pekka Savola <pekkas@netcore.fi>
Date: Mon, 10 Mar 2008 19:48:31 +0200 (EET)
Cc: shim6@psg.com
In-reply-to: <507F9ED6-5DBB-4A64-9A4E-9718725DB2C3@muada.com>
References: <507F9ED6-5DBB-4A64-9A4E-9718725DB2C3@muada.com>
User-agent: Alpine 1.00 (LRH 882 2007-12-20)

On Mon, 10 Mar 2008, Iljitsch van Beijnum wrote:

To protect against spoofed keepalive packets, a host implementing both shim6and IPsec MAY ignore incoming REAP keepalives if it has good reason to assumethat the other side will be sending IPsec-protected return traffic. I.e., ifa host is sending TCP data, it can reasonably expect to receive TCP ACKs inreturn. If no IPsec-protected ACKs come back but unprotected keepalives do,this could be the result from an attacker trying to hide broken connectivity.


I wonder how actionable this is from an implementor point of view.

Does a REAP implementor have access to the IPsec and TCP data andstate in example you gave? How?` Even if there was such access, it'snot obvious to make what kind of algorithm could be applied that wouldbe reliable.


--
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

References:
- IPsec thing with REAP
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: IPsec thing with REAP
Next by Date: [Fwd: [Shim6-impl] LinShim6 0.7 released]
Previous by thread: Re: IPsec thing with REAP
Next by thread: [Fwd: [Shim6-impl] LinShim6 0.7 released]
Index(es):
- Date
- Thread