On Mon, Nov 04, 2002 at 12:58:55PM -0500, Trei, Peter wrote: > Durden's question was whether a snooper on an IPSEC VPN can > tell (for example) an encrypted email packet from an encrypted > HTTP request. > > The answer is no. > > All Eve can tell is the FW1 sent FW2 a packet of a certain size. > The protocol of the encapsulated IP packet, it's true source > behind FW1, it's true destination behind FW2, and the true > destination port are all hidden.
An external obseverer being able to tell the time of exchange or percentage of traffic which is email vs http through a VPN probably isn't a big deal to most people. But if someone did care, it may be that you could have some probabilistic indication of whether the traffic is email or http (or other distinctions) based on the size of the packets, the timing that kind of thing. As there are different internal originating-points (mail hub, vs desktop/desktop+proxy cache), probably aspects of the hardware, TCP stack and application performance and behavior would leave some still recognizable performance and IP packet size signature. A more direct traffic-analysis type of risk is interactive session protocols like telnet, perhaps some chat programs where the characters are sent as they are typed. In this scenario it may be that an attacker could reconstruct the plaintext by analysing typing characteristics. (There was a paper about this risk for interactive sessions over SSH published a while back -- don't have the reference handy, probably google could find it). Another related type of risk is that SSL does not necessarily obsecure the page requested as the request and/or response may have unique, predictable and publicly measurable size uniquely identifying the document requested. Adam -- http://www.cypherspace.org/adam/