BTW, insider threats are on the rise according to various public
reports, so should not be discounted. This is one of the motivations
of employing security, even within the Enterprise.
Yes, but I do not really think people are going to solve those using
ESP-NULL. I think they must move
Grewal, Ken writes:
Are QOS and auditing devices really stateless?
I would expect QOS devices to have all kind of reservation systems and
so on and for those I would expect them to be keeping state?
[Ken] QoS may be applied on the need of the underlying service. E.g.
A static rule that
gabriel montenegro wrote:
I'll just comment on one item below:
As the draft says this is mostly meant for stateful devices, and that
has been the main goal for the document. The charter says:
A standards-track mechanism that allows an intermediary device, such
as a firewall or intrusion
Grewal, Ken writes:
[Ken] This may be feasible for stateful devices, but does not work
for stateless devices (QOS/Statistics/auditing functions). Even in
stateful devices, it requires coupling between observation on flows
and the associated heuristics cache engine, which creates an
additional
Additional comment below...
...Snip...
Cache eviction - how will this work?
We can keep adding SAs (based on heuristics), but how do we decide
when a given SA is no longer needed? This compounds the issues with
keeping state, as in the best case, cache eviction will likely be
policy based.
Grewal, Ken writes:
The 'bait and switch' attack where a connection uses ESP-NULL and
then at a later stage uses ESP-Encrypted may also be possible
unintentionally. E.g. Connection to a server (cluster / farm) to
gain access to a 'normal' service uses ESP-NULL and then at a later
stage, where
; ipsec@ietf.org
Subject: RE: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Hi Ken, Yoav,
I agree with Ken that the policy needs not be black and white, but for a
different reason. Some people will treat deep packet inspection by middleboxes
as an optional service: you want it for most
I looked for some traffic stats in a real, large enterprise network and
I found that UDP comprises 25-30% vs. TCP 70-75% of all traffic. The
stats were measured on multiple places in the network, and multiple
samples were taken over the past 6 weeks. Also, there is a slow but
consistent growth
