nanog mailing list archives
[no subject]
From: "J. Oquendo" <sil () politrix org>
Date: Fri, 31 Dec 2004 14:57:37 -0500 (EST)
On Fri, 31 Dec 2004, Merike Kaeo wrote:
When you start encrypting for confidentiality then: a) you may end up trusting your endpoints more and perform sanity checks other than 'deep inspection' to mitigate spoofed and unwanted traffic
Shouldn't mitigation on spoofing (and this argument will forever go forward on NANOG) be done at the network level, e.g. BOGON, Best Common Underrated Practices? If companies didn't follow them then/now using IPv4 which can already filter this what makes you think engineers will configure their equipment to do more sanity checks.
b) you may have a corporate policy where you need the capability to look at all traffic and therefore are required to use some IPsec intermediary device which acts as an endpoint on behalf of other corporate hosts (and decrypts/encrypts the traffic).
Wouldn't this render ESP obsolete. What would be the purpose of IPsec then? What I infer from this message is that you would want some form of hardware or software in place to be able to read this IPSec traffic. And this to you is security? How secure would I feel knowing my provider, or company has the ability to decrypt my encrypted data when I'm making an online payment somewhere, how secure would any user feel with some form of (not known at this time to even be possible) device on the line. This statement makes little sense to me, or maybe I'm misreading it. Let's take a look at an IPv6 packet after ESP (RFC 2406) ------------------------------------------------------------ IPv6 | new* |new ext | | orig*|orig ext | | | ESP | ESP| |IP hdr| hdrs* |ESP|IP hdr| hdrs * |TCP|Data|Trailer|Auth| ------------------------------------------------------------ |<--------- encrypted ----------->| |<---------- authenticated ---------->| Which portion of this IPv6 do you want this device to decrypt again? Again I hope I misunderstood your statement. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net "How a man plays the game shows something of his character - how he loses shows all" - Mr. Luckey
Current thread:
- [no subject] J. Oquendo (Dec 31)