[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last Call: 'UDP Encapsulation of IPsec Packets' to Proposed Standard

To: Henrik Levkowetz <henrik@levkowetz.com>
Subject: Re: Last Call: 'UDP Encapsulation of IPsec Packets' to Proposed Standard
From: Tero Kivinen <kivinen@ssh.fi>
Date: Fri, 24 Oct 2003 15:24:56 +0300
Cc: Ari Huttunen <Ari.Huttunen@F-Secure.com>, tytso@mit.edu, byfraser@cisco.com, iesg@ietf.org, briansw@microsoft.com, mstenber@ssh.com, vvolpe@cisco.com, ldiburro@nortelnetworks.com
In-reply-to: <20031024134823.6a15af84.henrik@levkowetz.com>
Organization: SSH Communications Security Oy
References: <E1ABygq-0003HN-ES@asgard.ietf.org> <20031023195129.1286d18b.henrik@levkowetz.com> <3F98DB09.60009@f-secure.com> <20031024102635.7c3f4cc1.henrik@levkowetz.com> <16281.1254.419883.385882@ryijy.hel.fi.ssh.com> <20031024134823.6a15af84.henrik@levkowetz.com>

Henrik Levkowetz writes:
> Ok, & thanks. I've not come across a NAT with less than a couple of
> minutes timeout myself, so I suspect this may be very atypical. I don't

I haven't seen those NATs myself either, but it might be because I
have only seen small NAT boxes in the office and home. I would assume
those big NAT boxes used by the ISP to NAT all traffic from all ADLS
lines from all of their customers might be using smaller timeouts.

> If they are described in some other RFC, fine, then refer to that. If
> not, I don't think you should put this mechanism out there without
> explicitly describing the attacks that this mechanism makes possible,
> which would not be possible otherwise. Sorry.

This mechanism does not make any new attacks possible for generic
hosts. I.e if the host is already listening any UDP socket then it is
vulnerable to the exactly same set of attacks. The difference is that
if this is IPsec SGW box that didn't do any UDP processing before
this, then this might open those attacks, because now it needs to do
more UDP processing than earlier. 
-- 
kivinen@ssh.fi
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:
- Re: Last Call: 'UDP Encapsulation of IPsec Packets' to Proposed Standard
  - From: Henrik Levkowetz <henrik@levkowetz.com>
- Re: Last Call: 'UDP Encapsulation of IPsec Packets' to Proposed Standard
  - From: Ari Huttunen <Ari.Huttunen@F-Secure.com>
- Re: Last Call: 'UDP Encapsulation of IPsec Packets' to Proposed Standard
  - From: Henrik Levkowetz <henrik@levkowetz.com>
- Re: Last Call: 'UDP Encapsulation of IPsec Packets' to Proposed Standard
  - From: Tero Kivinen <kivinen@ssh.fi>
- Re: Last Call: 'UDP Encapsulation of IPsec Packets' to Proposed Standard
  - From: Henrik Levkowetz <henrik@levkowetz.com>

Prev by Date: draft-ietf-sigtran-v5ua-04.txt
Next by Date: Telechat Schedule
Previous by thread: Re: Last Call: 'UDP Encapsulation of IPsec Packets' to Proposed Standard
Next by thread: Re: Last Call: 'UDP Encapsulation of IPsec Packets' to Proposed Standard
Index(es):
- Date
- Thread