Yaron Sheffer writes: > Yes, these are lossy algorithms, but the TLS/HTTP attacks are all with > lossless algorithms. And as far as I know, they are applicable to any > situation where here is an attacker that can force traffic on the wire, > mixed with other, non-attacker controlled traffic. So IMO they are not > restricted to just HTTP.
There is big difference in the TLS and ESP that in the TLS the compression is statefull, so if I send text "foobarzappa" earlier, and then later in the session send the same string, that string will get compressed. In the ESP this will only happen if you send it inside the same packet. I.e., i.e., you can use the compression to check the lengths if you can make one end to send packet where parts of the packet comes from the attacker, and parts of it comes from somewhere else, and attacker wants to verify whether his guess on the text on the other parts are correct. There are ways to use those attacks also against ESP, but I think they are harder than against TLS, and also the main reason they worked for the TLS, was because TLS allowed attackers to run code on the target machine (javascript), which was then used to send trial stuff over the same compressed link. Anyways, I do not think compression is that widely used, and having it as MAY is fine. We could add some note warning about the risks of using compression. I.e., using compression, might leak out information about the data transmitted over the ESP, and it might be good idea not to enable compression if full confidentiality is required. On the other hand on some IoT or similar environments, where every byte counts, it might be useful to have compression. Also in some of those environments authentication and authorization is much more important than confidentiality. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
