On Tue, Oct 18, 2011 at 1:57 PM, Kevin Gross <[email protected]> wrote:
> I suppose there is a possible selective attack vector here based on messing
> with packets based on their length and transmission timing. It's an
> interesting topic but I don't think that was the intended topic of this
> discussion. We want to figure out how/if can we make clock distribution work
> through an IPSec connection. I guess your point is that an "IPSec
> connection" should be defined as an IPSec connection _under active attack_.
> I'm afraid not qualified to assess these larger-picture security questions.
[Nit: it's IPsec, not IPSec.]
There's no such thing as an "IPsec connection". (The closest to that
would be RFC5660.)
I don't understand what it is about IPsec that makes it difficult or
impossible to distribute time ("[w]e want to figure out how/if we can
make clock distribution work through [IPsec]"). My guess is that you
are referring to IPsec processing latency, but that's only a guess.
Nico
--
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
