hipl-core team mailing list archive
Mailing list archive
Re: One more thing about hipfw-performance
Am 13.09.2010 um 20:40 schrieb Christof Mroz:
> Things currently done by hipfw in userspace, other than dispatching (see filter_esp_state()):
> - validating esp_prot tokens
> Should packets be forced into userspace when esp_prot is active?
Sadly, yes. It would be great to have a kernel space module for that.
> - validating the esp seqno
> Forging this isn't lucrative for attackers anyway, because the packet is going to be discarded at the end-host. If someone was after DOS-ing the middlebox, he'd be able to without sequence number trickery since an SA has already been established at this point.
> - updating connection timestamp
> The timestamp isn't currently referenced in the code anyway.
> Of course, these currently won't be done if dispatched by iptables.
This means that we can nail down IPsec ESP traffic to a combination of SPI and IP addresses? If that is the case, it is sufficient for now. ESP sequence numbers and timestamp are not cryptographically protected anyway. If someone takes the effort to forge ESP packets, forging the sequence numbers and the timestamp are not an obstacle anymore.
> Mailing list: https://launchpad.net/~hipl-core
> Post to : hipl-core@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~hipl-core
> More help : https://help.launchpad.net/ListHelp
Dipl.-Inform. Tobias Heer, Ph.D. Student
Chair of Communication and Distributed Systems - comsys
RWTH Aachen University, Germany
tel: +49 241 80 207 76