[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[IPSECKEY] IPSECKEY - man-in-the-middle



-----BEGIN PGP SIGNED MESSAGE-----


OLD TEXT:

   Note that the danger here only applies to cases where the gateway
   field of the IPSECKEY RR indicates a different entity than the owner
   name of the IPSECKEY RR.  In cases where the end-to-end integrity of
   the IPSECKEY RR is suspect, the end client MUST restrict its use of
   the IPSECKEY RR to cases where the RR owner name matches the content
   of the gateway field.

NEW TEXT:

Note that risk of a man-in-the-middle attack mediated by the IPSECKEY
RR only applies to cases where the gateway field of the IPSECKEY RR
indicates a different entity than the owner name of the IPSECKEY RR.

An active attack on the DNS that caused the wrong IP address to be retrieved
(via forged A RR), and therefore the wrong QNAME to be queried would also
result in a man-in-the-middle attack. This situation exists independantly
of whether or not the IPSECKEY RR is used.

In cases where the end-to-end integrity of
the IPSECKEY RR is suspect, the end client MUST restrict its use
of the IPSECKEY RR to cases where the RR owner name matches the
content of the gateway field.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQBgruoqHRg3pndX9AQFg8wP/QsQkaat3kTRQWfJ7d1+SjuVFGy8a6jTL
Q/clQMMuSTJ/R36RcTwMRHcBBbUxIzZbcjVBbg/V9sCNzAYTtZzpORMeAS29m58L
S59SNIXewql8Xtk3HRSnB5y/tdFkqzSOE2b4bcyMDWWdbIiLvFm4arjUuJBeYyM+
nb495RcBLWo=
=e6KQ
-----END PGP SIGNATURE-----
-
This is the IPSECKEY@sandelman.ca list.
Email to ipseckey-request@sandelman.ca to be removed.