I don't follow your logic here. You say you want edge-to-edge flow labels,
not end-to-end, yet complain that flow labels are not secure since they are
not covered by AH IPsec. If they were covered by AH ipsec, then they would
be secure end-to-end, not edge-to-edge. We have no mechanism to secure
things edge-to-edge (unless you're counting on all edges being security
gateways with all "inside" traffic existing in IPsec tunnels).
I also don't understand your concerns regarding a covert channel. Since
IPsec is secure end-to-end, the trust is in the end hosts. Of course they
can send whatever data they want encrypted and hide it from things in the
middle. This is a feature. If the worry is that routers along the way can
piggy-back a covert channel, there are many other ways to do that. They can
play games with the Hop Count, for one. Or in packets that contain at least
one Hop-by-Hop or Destination Option, they can add another one of their own
invention with the upper bits set to 001 so it will be skipped over by
routers that don't understand it and treated as mutable by AH.
--Brian
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 22 November, 2000 05:44
> To: [EMAIL PROTECTED]
> Subject: Security considerations about the flow label
>
>
> Dear list,
>
> sorry to stir the hornet's nest about end-to-end flow
> labels, but I think there are some security problems
> in them.
>
> First, the labels are excluded from the IPSec AH,
> which means they cannot be trusted. I wouldn't build
> a service that is based on them, unless there is some
> other way to make them trustworthy. Like keeping the
> server and the client within the same administrative
> domain.
>
> Another problem is a covert channel. If a client can
> set the flow label bits, it can communicate with the
> outside world without anybody noticing. I don't mean
> just transmitting payload without paying for it.
> There are spy programs, too.
>
> Don't-care bits should not cross a security perimeter.
> All header fields that are not protected by the IPSec
> AH should be overwritten by edge routers. Either by
> something neutral (like zeroes for flow label) or
> values that have been agreed with the peering domain
> (DiffServ Code Points).
>
> I vote for edge-to-edge flow labels, not end-to-end.
>
> -- Lassi
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
