Re: [IPsec] [TICTOC] Review request for IPsec security for packet based synchronization (Yang Cui)

Tue, 18 Oct 2011 12:11:57 -0700 

That's what I was thinking.

The point is that IPSec is a security mechanism, so if you're specifying its 
use you need to discuss the security considerations.  (The RFC will need to do 
so.)  That translates into discussing the possible attacks and what effect they 
would have on the integrity of the service.  And yes, active attacks are very 
much part of the world in which IPSec is intended to live.

Usually, IPSec protects data, and the data carried by IPSec is protected from 
eavesdropping and from undetected modification or replay.  It is not protected 
from denial of service.

All that is true for time synchronization as well.  But unlike most data 
transfer protocols, in your case it's not just the content of the packets that 
matters, but also their arrival times.  And my point is that IPSec does not 
protect you from an attacker tampering with the arrival times.  So you'd want 
to call out the fact that a measured round trip time T means the time obtained 
by the sync process is accurate to T - but that you cannot assume it is 
accurate to better than T as you usually would.

                paul

From: Kevin Gross [mailto:[email protected]]
Sent: Tuesday, October 18, 2011 2:57 PM
To: Koning, Paul
Cc: [email protected]; [email protected]; [email protected]; [email protected]; 
[email protected]; [email protected]
Subject: Re: [IPsec] [TICTOC] Review request for IPsec security for packet 
based synchronization (Yang Cui)

I suppose there is a possible selective attack vector here based on messing 
with packets based on their length and transmission timing. It's an interesting 
topic but I don't think that was the intended topic of this discussion. We want 
to figure out how/if can we make clock distribution work through an IPSec 
connection. I guess your point is that an "IPSec connection" should be defined 
as an IPSec connection _under active attack_. I'm afraid not qualified to 
assess these larger-picture security questions.
...


_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to