Re: draft-ietf-dccp-serv-codes-06 - Treatment of SC in Ipsec SPD ???

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thanks, it could be interesting to explore if future IPsec maintenance should consider this as a possible extension.
So, do people think there is anything that needs to be added to the current wording in section 5.3 "Interactions with IPsec" of this document? 

  "IPsec uses port numbers to perform access control in transport mode
   [RFC4301].  Security policies can define port-specific access control
   (PROTECT, BYPASS, DISCARD), as well as port-specific algorithms and
   keys. Similarly, firewall policies allow or block traffic based on
   port numbers.

   Use of port numbers in IPsec selectors and firewalls may assume that
   the numbers correspond to Well Known services. It is useful to note
   that there is no such requirement; any service may run on any port,
   subject to mutual agreement between the endpoint hosts.  Use of the
   Service Code may interfere with this assumption both within IPsec and
   in other firewall systems, but it does not add a new vulnerability.
   New implementations of IPsec and firewall systems may interpret the
   Service Code when implementing policy rules, but should not rely on
   either port numbers or Service Codes to indicate a specific service.

   This is not an issue for IPsec because the entire DCCP header and
   payload are protected by all IPsec modes. None of the DCCP header is
   protected by application-layer security, e.g., DTLS [ID.DTLS], so
   again this is not an issue [RFC4347]."

Gorry

Lars Eggert wrote:

Hi,

On 2008-6-20, at 16:07, ext Gorry Fairhurst wrote:
I received this email from Alfred (cc'ed above), who has kindly allowed me to forward this to the dccp list. It asks about the use of IPsec SPD's with DCCP Service Codes... an interesting question - do others have ideas on how this should be handled in this I-D?
Alfred raises a good point. But I don't think this document is the place to describe an extension to IPsec to allow DCCP selectors. We'd need a SEC area document for that.
Coincidentally, Pasi is likely to charter an IPSECME (IPsec maintenance and minor extensions) WG in the near future, which IMO would be the perfect home for this. 

Lars
PS: Hm, I wonder if we ever got SCTP selectors specified for IPsec. If not, that'd be another thing for this new WG.
[Index of Archives]     [Linux Kernel Development]     [Linux DCCP]     [IETF Annouce]     [Linux Networking]     [Git]     [Security]     [Linux Assembly]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [DDR & Rambus]

  Powered by Linux