[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [saag] IPsec spec problems

From: "Barry Greene \(bgreene\)" <bgreene at cisco.com>
To: "Stephen Kent" <kent at bbn.com>
Cc: saag at mit.edu
Date: Tue, 2 May 2006 20:29:35 -0700

 

> For example, if one believes that attackers are not capable 
> of a MITM attack, then one could implement a simple, fast 
> check of the SPI associated with each IPsec (ESP) packet, on 
> a line card.  Thus off-path attacks would be rejected 
> efficiently.  Alternatively, if future management processors 
> had adequate horsepower to process IPsec traffic at high 
> speeds, e.g., via hardware assist, then the problem would 
> vanish as well.

I've explored that path. Too complicated to code and high on the
maintenance side (too big of OPEX increase).

Follow-Ups:
- Re: [saag] IPsec spec problems
  - From: Stephen Kent

Prev by Date: Re: [saag] IPsec spec problems
Next by Date: Re: [saag] Fwd: draft-bonica-tcp-auth
Previous by thread: Re: [saag] IPsec spec problems
Next by thread: Re: [saag] IPsec spec problems
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.