nanog mailing list archives

Previous By Date Next
Previous By Thread Next

[no subject]

From: "J. Oquendo" <sil () politrix org>
Date: Fri, 31 Dec 2004 14:57:37 -0500 (EST)


On Fri, 31 Dec 2004, Merike Kaeo wrote:



When you start encrypting for confidentiality then:

a) you may end up trusting your endpoints more and perform sanity
checks other than 'deep inspection' to mitigate spoofed and unwanted
traffic


Shouldn't mitigation on spoofing (and this argument will forever go
forward on NANOG) be done at the network level, e.g. BOGON, Best Common
Underrated Practices? If companies didn't follow them then/now using IPv4
which can already filter this what makes you think engineers will
configure their equipment to do more sanity checks.


b) you may have a corporate policy where you need the capability to
look at all traffic and therefore are required to use some IPsec
intermediary device which acts as an endpoint on behalf of other
corporate hosts (and decrypts/encrypts the traffic).


Wouldn't this render ESP obsolete. What would be the purpose of IPsec
then? What I infer from this message is that you would want some form of
hardware or software in place to be able to read this IPSec traffic. And
this to you is security? How secure would I feel knowing my provider, or
company has the ability to decrypt my encrypted data when I'm making an
online payment somewhere, how secure would any user feel with some form of
(not known at this time to even be possible) device on the line. This
statement makes little sense to me, or maybe I'm misreading it.

Let's take a look at an IPv6 packet after ESP (RFC 2406)

      ------------------------------------------------------------
IPv6  | new* |new ext |   | orig*|orig ext |   |    | ESP   | ESP|
      |IP hdr| hdrs*  |ESP|IP hdr| hdrs *  |TCP|Data|Trailer|Auth|
      ------------------------------------------------------------
                          |<--------- encrypted ----------->|
                      |<---------- authenticated ---------->|

Which portion of this IPv6 do you want this device to decrypt again? Again
I hope I misunderstood your statement.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

"How a man plays the game shows something of his
character - how he loses shows all" - Mr. Luckey
Previous By Date Next
Previous By Thread Next

Current thread: