Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

To: "Grewal, Ken" <ken.grewal at intel.com>
Subject: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
From: Tero Kivinen <kivinen at iki.fi>
Date: Wed, 11 Feb 2009 13:34:25 +0200
Cc: "ipsec at ietf.org" <ipsec at ietf.org>, Paul Hoffman <paul.hoffman at vpnc.org>
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <C49B4B6450D9AA48AB99694D2EB0A4830D2200B8 at rrsmsx505.amr.corp.intel.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <34B3EAA5B3066A42914D28C5ECF5FEA418762035 at zrtphxm2.corp.nortel.com> <18824.17079.363126.331101 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4830CDF22E0 at rrsmsx505.amr.corp.intel.com> <18826.54339.452491.244002 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4830D0DD886 at rrsmsx505.amr.corp.intel.com> <18832.15242.707313.57888 at fireball.kivinen.iki.fi> <27014.28749.qm at web82605.mail.mud.yahoo.com> <9FB7C7CE79B84449B52622B506C78036130B76C899 at il-ex01.ad.checkpoint.com> <C49B4B6450D9AA48AB99694D2EB0A4830D21FF83 at rrsmsx505.amr.corp.intel.com> <p06240805c5b7b0c8060a at [165.227.249.206]> <C49B4B6450D9AA48AB99694D2EB0A4830D2200B8 at rrsmsx505.amr.corp.intel.com>

Grewal, Ken writes:
> [Ken] In some cases, the certainty must be 100%, otherwise there is
> no control. E.g. A new exploit has just been published for certain
> types of traffic - published vulnerability where a virus/worm can
> exploit a 'buffer overrun/stack overflow' condition for a given
> piece of software providing a given service, which subsequently
> allows a hijacker to take control of the machine/server. That
> service MUST be shut down to ensure that the vulnerability cannot be
> exploited and spread. This may or may not result in shut down of the
> server hosting the service, as you may want to allow remote
> patching, etc. Easiest way to do this is to block the port over
> which the vulnerability is being exploited.  

Which does not help if you allow any encrypted ESP traffic to the
host, as the attacker will then just use encrypted ESP to make the
attack. On the other hand if you do not allow any encrypted ESP
packets, you KNOW that all packets are ESP-NULL, which makes the
packet checks much easier even for stateless devices.
-- 
kivinen at iki.fi

References:
- [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Dragan Grebovich
- [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: gabriel montenegro
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Yoav Nir
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Paul Hoffman
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken

Prev by Date: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Next by Date: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Previous by thread: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Next by thread: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Index(es):
- Date
- Thread

Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.