Hi, Am 13.09.2010 um 20:40 schrieb Christof Mroz:
> Things currently done by hipfw in userspace, other than dispatching (see > filter_esp_state()): > > - validating esp_prot tokens > Should packets be forced into userspace when esp_prot is active? > Sadly, yes. It would be great to have a kernel space module for that. > - validating the esp seqno > Forging this isn't lucrative for attackers anyway, because the packet is > going to be discarded at the end-host. If someone was after DOS-ing the > middlebox, he'd be able to without sequence number trickery since an SA has > already been established at this point. > > - updating connection timestamp > The timestamp isn't currently referenced in the code anyway. > > Of course, these currently won't be done if dispatched by iptables. > This means that we can nail down IPsec ESP traffic to a combination of SPI and IP addresses? If that is the case, it is sufficient for now. ESP sequence numbers and timestamp are not cryptographically protected anyway. If someone takes the effort to forge ESP packets, forging the sequence numbers and the timestamp are not an obstacle anymore. Tobias > _______________________________________________ > Mailing list: https://launchpad.net/~hipl-core > Post to : [email protected] > Unsubscribe : https://launchpad.net/~hipl-core > More help : https://help.launchpad.net/ListHelp -- Dipl.-Inform. Tobias Heer, Ph.D. Student Chair of Communication and Distributed Systems - comsys RWTH Aachen University, Germany tel: +49 241 80 207 76 web: http://ds.cs.rwth-aachen.de/members/heer blog: http://dtobi.wordpress.com/ card: http://card.ly/dtobi _______________________________________________ Mailing list: https://launchpad.net/~hipl-core Post to : [email protected] Unsubscribe : https://launchpad.net/~hipl-core More help : https://help.launchpad.net/ListHelp
