> I think the tiny covert channel meant is that one of
> the end hosts leaking out (intentionally or being
> exploited by a malicious insider) information using
> a field not covered by IPSec's protection, and tries
> to do so without being noticed. The recipient of the
> leaked info is not necessary the other end host (trusted).
Okay, I can understand this concern. Unfortunately, malicious insiders are
very hard to protect against. Those end nodes essentially become untrusted.
Untrusted nodes can do all sorts of unsavory things. I don't think this
covert channel issue is something we need to worry about when debating how
to define the flow label.
[The rest of this message is just an academic exercise]
> Messing with the hop count may work, but, due to
> non predictible re-routes, it is not reliable for the spy
> who cares about the integrity of the data being leaked.
I suspect you would find that in practice the upper two or three bits of the
hop count never change over the life of most connections. With a little bit
of error correction, you could probably get a decent (albeit low bit rate)
data channel over that.
> Mutable h-b-h or dest1 options could also be exploited,
> but, again, they are mutable, and may mean something to
> routers in between and get altered.
Ah, you missed my point about setting the option type bits appropriately.
You could invent your own option with a new type code (so no intervening
routers will mess with it) and set the upper bits to 00, causing nodes that
don't understand this type to just skip over the option instead of dropping
the packet or flagging an error. I thought of a different flaw with this
scheme after sending that, however. While AH can be told to treat this new
option as mutable, it still includes the option in the ICV calculation (as
all zeroes). So if it is added after the ICV calculation on the sending
side, then the receiving covert entity on/near the other end would have to
strip out this option before it made it to it the intended receiver. But if
the malicious insider can add the option before the ICV is calculated (and
marks it mutable), then the covert receiver could just read it (and wipe the
bits if it cared to) before the intended receiver saw the packet.
--Brian
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
