Hi: I think I've found a case where SA selector checks alone are not enough to guard against address spoofing. Consider the scenario I painted earlier where a host H is connected to a trusted network T. It is trusted in the sense that if we receive a packet from any host in T it is guaranteed to have come from that host. Now let us establish an IPCOMP(tun)/ESP(trans) connection to a remote host A outside the trusted network. The selector of the IPCOMP tunnel being any to any. We assume that A is trusted in the sense that it does not allow packets bearing addresses in T to be sent to us. Unfortunately if my understanding is correct, any host B outside the trusted network can now send us packets bearing addresses in T using the IPCOMP tunnel for A assuming that B is able to spoof A's address. This is so because any such packet will pass the IPCOMP selector test as it is any to any. It also passes the policy check as there are no explicit policies for packets coming from T. This suggests to me that we do need to strengthen the policy check algorithm as all the SA selector checks have been duly carried out. Please let me know if you can find any flaws in my reasoning. Cheers, -- Debian GNU/Linux 3.0 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
