 |
 |
 |
 |
|
 |
|
 |
|
 |
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Hi Gabriel, This thread is precisely the discussion
that Paul mentions. The two alternatives I see on the table right
now (Paul might have different opinions) are: -
Publish a modified/wrapped ESP as Standards Track, and heuristics
as an extra Informational. -
Decide that heuristics are a sufficient solution for the problem, and
publish it as the only ipsecme work item related to this charter item. Paul and I would like to see more
discussion and hopefully WG consensus being formed, now that we have a real
heuristics I-D for everyone to analyze. Thanks, Yaron From:
ipsec-bounces at ietf.org [mailto:ipsec-bounces at ietf.org] On Behalf Of gabriel I'd like to ask the chairs to comment further about
something
From: Dragan
Grebovich <dragan at nortel.com> Hi Yoav As per #4, I did not elaborate what the
policy should be, because it is network-specific, however the goal of
having ESP-NULL (in this implementation) is to have strong authentication,
while enabling thirds party (intermediate) equipment to perform DPI.
That could be integrated in the in-line switch/router/firewall (for better
performance, but more expensive), or could be handed off to the side to an
appliance (more inspections, cheaper, but slower). Who am I to tell a
Checkpoint guy about both implementations? :-) I also disagree that we should inspect
just a first few packets (and keep their state), and then leave it alone to be
done in cache. Besides the scenario you outlined below, there are other
applications when inspection must be done on each packet in each
flow. I am not saying that heuristics are
not doable, I am just saying I know of implementations today that
require this check performed on all packets, and I don't believe devices we are
working on today or in the future would be able to support it with
heuristics turned on and meeting scalability and performance
requirements.. Also, DPI can be used for more than
just AV or packet content snooping. It could be used for QoS to
determine more granular traffic shaping and application-level routing.
There is also LI/CALEA aspect but I will leave that alone for now. From: Dragan Grebovich wrote:
I don't think the use case is to inspect
every packet like that. I also don't agree with what you wrote in #4. If
the appliance is willing to pass ESP-non-NULL, then it doesn't really care
about content inspection. That is fine, and probably the more common case, but
in that case it shouldn't care whether a packet is or is not encrypted. Our use case is an edge device that
inspects all traffic, and drops things it doesn't understand, such as non-NULL
ESP and possibly SSL (they might make an exception for HTTPS, but do a MiTM
attack against the SSL) So for each packet, the processing
is something like this:
Of course it's possible for the endpoints
to cheat, start of with ESP-NULL, and then after the heuristics marked it as
OK, begin encryption. This "attack" will work if all your policy says
is "ESP must be NULL". But that is not an interesting policy. Real
policies will require deeper inspection of the internal flows, so the cost of
the heuristics becomes negligible, as it only requires looking at the first few
packets of each ESP SA.
Email secured by Check Point |