[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bruce Schneier on IPsec

To: Paul Koning <pkoning@xxxxxxxxx>
Subject: Re: Bruce Schneier on IPsec
From: Stephen Kent <kent@xxxxxxx>
Date: Tue, 25 Jan 2000 08:07:10 -0500
Cc: ipsec@xxxxxxxxxxxxxxxxx
In-reply-to: <>
References: <><><> <><>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

Paul,

Yes, ESP w/o authentication is susceptible to certain forms of active attacks that can result in a breach of confidentiality, under certain circumstances. I think the easiest way to characterize such circumstances is that muxing multiple user data streams over a single SA provides the opportunity for such attacks. Since IPsec allows for fine grained SAs, it is possible to avoid such attacks and thus there are safe ways of using this option as well. The text of 2401 alludes to such concerns already. A stronger and more precise set of warnings could be added if necessary.

Steve

References:
- Re: Bruce Schneier on IPsec
  - From: Henry Spencer
- Re: Bruce Schneier on IPsec
  - From: Paul Hoffman
- Re: Bruce Schneier on IPsec
  - From: Paul Hoffman
- Re: Bruce Schneier on IPsec
  - From: Steve Kent
- Re: Bruce Schneier on IPsec
  - From: Paul Koning

Prev by Date: Once upon a time ... (Re: Remove)
Next by Date: Re: Bruce Schneier on IPsec
Previous by thread: Re: Bruce Schneier on IPsec
Next by thread: Counterpane comments, ASCII version
Index(es):
- Date
- Thread