[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bruce Schneier on IPsec

To: Paul Koning <pkoning@xedia.com>
Subject: Re: Bruce Schneier on IPsec
From: Stephen Kent <kent@bbn.com>
Date: Tue, 25 Jan 2000 08:07:10 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <200001241844.NAA16433@tonga.xedia.com>
References: <Pine.BSI.3.91.1000119203938.18717S-100000@spsystems.net><4.2.1.20000120112510.00bfa600@mail.vpnc.org><4.2.1.20000120173822.00b476f0@mail.vpnc.org> <38886529.E3D38477@bbn.com><200001241844.NAA16433@tonga.xedia.com>
Sender: owner-ipsec@lists.tislabs.com

Paul,

Yes, ESP w/o authentication is susceptible to certain forms of active 
attacks that can result in a breach of confidentiality, under certain 
circumstances. I think the easiest way to characterize such 
circumstances is that muxing multiple user data streams over a single 
SA provides the opportunity for such attacks.  Since IPsec allows for 
fine grained SAs, it is possible to avoid such attacks and thus there 
are safe ways of using this option as well.  The text of 2401 alludes 
to such concerns already.  A stronger and more precise set of 
warnings could be added if necessary.

Steve

References:

Re: Bruce Schneier on IPsec

From: Henry Spencer <henry@spsystems.net>

Re: Bruce Schneier on IPsec

From: Paul Hoffman <paul.hoffman@vpnc.org>

Re: Bruce Schneier on IPsec

From: Paul Hoffman <paul.hoffman@vpnc.org>

Re: Bruce Schneier on IPsec

From: Steve Kent <kent@bbn.com>

Re: Bruce Schneier on IPsec

From: Paul Koning <pkoning@xedia.com>

Prev by Date: Counterpane comments, ASCII version
Next by Date: Re: Bruce Schneier on IPsec
Prev by thread: Counterpane comments, ASCII version
Next by thread: Re: Bruce Schneier on IPsec
Index(es):
- Main
- Thread