[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SPD issues
Mark Duffy wrote:
[MD] So, there is an SPD selection function that chooses an SPD. And
there is an IP forwarding function that selects a next hop to forward
a datagram to. And the two may be comepletely independent or
completely entwined, depending on the nature of the device.
[JT] It's the entwined case that presents the largest problem. I.e.,
if the SPD selection is based on forwarding information that then
changes by the time the subsequently tunneled (or not tunneled) packet
is emitted from IPsec.
This could happen whether dynamic or static routing is used; the issue
is flux in the forwarding table and whether it is _allowed_ to affect
Calling the function "SPD selection" doesn't absolve the problem.
No. But it isolates the problems of which SPD to use, and which
interface/ next hop to send the packet to. Whoever feels that these are
or need to be entwined for their application is free to do so.. Those
solving simpler problems can avoid that. And 2401bis can take itself
out of the business of IP forwarding decisions.
I'm in favor of those last two observations, but it's the "whoever feels
.. is free to do so" that worries me. I.e., this gives enough freedom to
end up with a nasty loophole, e.g., "SPD selection can be supported, but
how is up to the implementer, and whether it is secure depends on the