This is a great article, but I disagree with his point about IPsec. ESP
detects malicious or benign data corruption on the wire, and I don't
think it is the job of IPsec to detect errors that are actually
introduced by bugs in the sender's network stack. So I think that
exempting the receiver from verifying the checksum was a correct decision.
Thanks,
Yaron
On 05/14/2015 06:23 PM, Russ Housley wrote:
http://arstechnica.com/information-technology/2015/05/the-discovery-of-apache-zookeepers-poison-packet/
This article describes a set of four bugs that caused a serious problem
for one open source project:
"RFC 3948 tells the tale. It states that while using IPSec in NAT-T
Transport mode, the client MAY forgo the validation of the TCP/UDP
checksum under the assumption that packet integrity is already protected
by ESP. ... The assumption made by the authors is invalid, as there is
clearly ample opportunity for corruption prior to ESP/IP formation.
While checksumming is a great way to detect in-flight corruption, it can
also be used as a tool to detect corruption during the formation of the
packet. It is the latter point that was overlooked, and this
optimization has come to bite us. ... We claim this is a bug—intentional
or not."
Russ
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
