Re: SPD issues

[Joe Touch <touch@xxxxxxx>]

Mark Duffy wrote:

> > > [MD] So, there is an SPD selection function that chooses an SPD.  And 
> > > there is an IP forwarding function that selects a next hop to forward 
> > > a datagram to.  And the two may be comepletely independent or 
> > > completely entwined, depending on the nature of the device.
> >
> >
> > [JT] It's the entwined case that presents the largest problem. I.e., 
> > if the SPD selection is based on forwarding information that then 
> > changes by the time the subsequently tunneled (or not tunneled) packet 
> > is emitted from IPsec.
> >
> > This could happen whether dynamic or static routing is used; the issue 
> > is flux in the forwarding table and whether it is _allowed_ to affect 
> > SPD selection.
> >
> > Calling the function "SPD selection" doesn't absolve the problem.
> >
> > Joe
>
>
> No.  But it isolates the problems of which SPD to use, and which 
> interface/ next hop to send the packet to.  Whoever feels that these are 
> or need to be entwined for their application is free to do so.. Those
> solving simpler problems can avoid that.  And 2401bis can take itself 
> out of the business of IP forwarding decisions.
>
> Mark

I'm in favor of those last two observations, but it's the "whoever feels
.. is free to do so" that worries me. I.e., this gives enough freedom to
end up with a nasty loophole, e.g., "SPD selection can be supported, but
how is up to the implementer, and whether it is secure depends on the
implementation".

Joe