[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bruce Schneier on IPsec
Paul,
Yes, ESP w/o authentication is susceptible to certain forms of active
attacks that can result in a breach of confidentiality, under certain
circumstances. I think the easiest way to characterize such
circumstances is that muxing multiple user data streams over a single
SA provides the opportunity for such attacks. Since IPsec allows for
fine grained SAs, it is possible to avoid such attacks and thus there
are safe ways of using this option as well. The text of 2401 alludes
to such concerns already. A stronger and more precise set of
warnings could be added if necessary.
Steve
References: