>
>I also don't understand your concerns regarding a covert channel. Since
>IPsec is secure end-to-end, the trust is in the end hosts. Of course they
>can send whatever data they want encrypted and hide it from things in the
>middle. This is a feature. If the worry is that routers along the way can
>piggy-back a covert channel, there are many other ways to do that. They can
>play games with the Hop Count, for one. Or in packets that contain at least
>one Hop-by-Hop or Destination Option, they can add another one of their own
>invention with the upper bits set to 001 so it will be skipped over by
>routers that don't understand it and treated as mutable by AH.
I think the tiny covert channel meant is that one of the end hosts leaking out
(intentionally or being exploited by a malicious insider)
information using a field not covered by IPSec's protection, and tries to do so
without being noticed. The recipient of
the leaked info is not necessary the other end host (trusted).
Messing with the hop count may work, but, due to non predictible re-routes,
it is not reliable for the spy who cares about the integrity of the data being
leaked.
Mutable h-b-h or dest1 options could also be exploited, but, again, they are
mutable, and may mean something to routers in between and get altered.
Kais.
>
>--Brian
>
>> -----Original Message-----
>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>> Sent: Wednesday, 22 November, 2000 05:44
>> To: [EMAIL PROTECTED]
>> Subject: Security considerations about the flow label
>>
>>
>> Dear list,
>>
>> sorry to stir the hornet's nest about end-to-end flow
>> labels, but I think there are some security problems
>> in them.
>>
>> First, the labels are excluded from the IPSec AH,
>> which means they cannot be trusted. I wouldn't build
>> a service that is based on them, unless there is some
>> other way to make them trustworthy. Like keeping the
>> server and the client within the same administrative
>> domain.
>>
>> Another problem is a covert channel. If a client can
>> set the flow label bits, it can communicate with the
>> outside world without anybody noticing. I don't mean
>> just transmitting payload without paying for it.
>> There are spy programs, too.
>>
>> Don't-care bits should not cross a security perimeter.
>> All header fields that are not protected by the IPSec
>> AH should be overwritten by edge routers. Either by
>> something neutral (like zeroes for flow label) or
>> values that have been agreed with the peering domain
>> (DiffServ Code Points).
>>
>> I vote for edge-to-edge flow labels, not end-to-end.
>>
>> -- Lassi
>--------------------------------------------------------------------
>IETF IPng Working Group Mailing List
>IPng Home Page: http://playground.sun.com/ipng
>FTP archive: ftp://playground.sun.com/pub/ipng
>Direct all administrative requests to [EMAIL PROTECTED]
>--------------------------------------------------------------------
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
