[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SPD issues

Mark Duffy wrote:

[MD] So, there is an SPD selection function that chooses an SPD. And there is an IP forwarding function that selects a next hop to forward a datagram to. And the two may be comepletely independent or completely entwined, depending on the nature of the device.

[JT] It's the entwined case that presents the largest problem. I.e., if the SPD selection is based on forwarding information that then changes by the time the subsequently tunneled (or not tunneled) packet is emitted from IPsec.

This could happen whether dynamic or static routing is used; the issue is flux in the forwarding table and whether it is _allowed_ to affect SPD selection.

Calling the function "SPD selection" doesn't absolve the problem.


No. But it isolates the problems of which SPD to use, and which interface/ next hop to send the packet to. Whoever feels that these are or need to be entwined for their application is free to do so.. Those
solving simpler problems can avoid that. And 2401bis can take itself out of the business of IP forwarding decisions.


I'm in favor of those last two observations, but it's the "whoever feels .. is free to do so" that worries me. I.e., this gives enough freedom to end up with a nasty loophole, e.g., "SPD selection can be supported, but how is up to the implementer, and whether it is secure depends on the implementation".