Re: [dtn-security] Encrypted IP headers

"Graham Keellings (Leonix Solutions Pte Ltd)" <Graham@LeonixSolutions.com> Thu, 16 July 2009 02:13 UTC

Received: from sky.fastbighost.net (sky.fastbighost.net [76.76.22.153]) by maillists.intel-research.net (8.13.8/8.13.8) with ESMTP id n6G2DaI1006705 for <dtn-security@maillists.intel-research.net>; Wed, 15 Jul 2009 19:13:36 -0700
Received: from dyn98-b60-access.superdsl.com.sg ([202.73.60.98] helo=[192.9.200.103]) by sky.fastbighost.net with esmtpa (Exim 4.69) (envelope-from <Graham@LeonixSolutions.com>) id 1MRGRx-00052K-9R; Wed, 15 Jul 2009 22:11:57 -0400
Message-ID: <4A5E8C6C.5020506@LeonixSolutions.com>
Date: Thu, 16 Jul 2009 10:11:56 +0800
From: "Graham Keellings (Leonix Solutions Pte Ltd)" <Graham@LeonixSolutions.com>
Organization: Leonix Solutions Pte Ltd
User-Agent: Thunderbird 2.0.0.22 (X11/20090608)
MIME-Version: 1.0
To: Peter Lovell <plovell@mac.com>
References: <89E48AE60E64EF4E8EB32B0B7EC74920A1B0F5@EVS-EC1-NODE2.surrey.ac.uk> <3A5AA67A8B120B48825BFFCF5443856137E3553C4B@NDJSSCC03.ndc.nasa.gov> <"029d01c 9e925$1e354880$5a9fd980$"@com> <4A46C257.3040006@LeonixSolutions.com> <"2009062 8050243.1566215671"@smtp.mac.com> <4A46FBB2.3080205@LeonixSolutions.com> <"2009 0628052255.640550503"@smtp.mac.com> <4A470CD7.4010502@LeonixSolutions.com> <"20 090628141313.1532044204"@smtp.mac.com> <4A4878A6.7010707@LeonixSolutions.com> <20090629123400.1726285002@smtp.mac.com> <C304DB494AC0C04C87C6A6E2FF5603DB2217B29183@NDJSSCC01.ndc.nasa.gov> <4A497B04.3070909@LeonixSolutions.com> <20090630122842.1049441707@smtp.mac.com> <4A556063.2010305@LeonixSolutions.com> <20090709041417.302976474@smtp.mac.com> <4A56E1CA.7080000@LeonixSolutions.com> <20090710120958.2016629300@smtp.mac.com> <4A5AA83C.7030400@LeonixSolutions.com> <20090713134603.958934311@smtp.mac.com> <4A5D4703.1000002@LeonixSolutions.com> <20090715114903.2002525481@smtp.mac.com>
In-Reply-To: <20090715114903.2002525481@smtp.mac.com>
Content-Type: multipart/mixed; boundary="------------030706070700010003080008"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - sky.fastbighost.net
X-AntiAbuse: Original Domain - maillists.intel-research.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - LeonixSolutions.com
X-Source:
X-Source-Args:
X-Source-Dir:
Cc: dtn-security@maillists.intel-research.net
Subject: Re: [dtn-security] Encrypted IP headers
X-BeenThere: dtn-security@maillists.intel-research.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DTN Security Discussion <dtn-security.maillists.intel-research.net>
List-Unsubscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=unsubscribe>
List-Archive: <http://maillists.intel-research.net/pipermail/dtn-security>
List-Post: <mailto:dtn-security@maillists.intel-research.net>
List-Help: <mailto:dtn-security-request@maillists.intel-research.net?subject=help>
List-Subscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=subscribe>
X-List-Received-Date: Thu, 16 Jul 2009 02:13:37 -0000

Peter Lovell wrote:
> On Wed, Jul 15, 2009, Graham Keellings (Leonix Solutions Pte Ltd)
> <Graham@LeonixSolutions.com> wrote:
>
>   
>>>  Most systems have some interaction with the outside even
>>> though the community may be a closed one.
>>>   
>>>       
>> Many military, navy, government, financial systems have a hard 
>> requirement that they do not communicate with the internet (or even with 
>> anything that does). In my case, I can live with that.
>>     
>
> I guess I need to enlarge on the point I was trying to make. 
>   
Thanks again for replying , Peter. I think I grokked all that you said 
and we seem to be in understanding here. I do hope that these 
discussions don't take up too much of your time, but you are an 
invaluable sounding-board.


> A fully-isolated system will be easier to secure but this requires full
> isolation. That is, no networking contact at all with the outside. 
Well, no _intended_ contact with the outside world. It's easy enough to 
achieve no contact with wired networks (ignoring USB sticks, CDs, etc, 
introducing something into the system). But I am talking of a wireless 
network, so I can only say that my intention would be to have no contact 
to the outside world - but I can't stop IP packets floating around on 
the frequency to which my nodes are listening. And that introduces the 
potential for security problems. If possible, I would like to deflect 
these problems as early as possible, and IP header encryption seems a 
reasonable solution.

> Once
> you have that, I'm not sure that encrypting the IP headers etc gives you
> a decent return on your effort.
>
>   
I can't say either way. Will probably have to build it and profile it. 
If I can deflect rogue packets "quickly enough" to prevent DOS, then 
it's worth it. If not, then my IP header encryption only exacerbates the 
problem by adding more overhead.  Hmmm, thinking abut it, it does not 
seem to offer anything for DOS deflection...

what about other security advantages? I am thinking here of TCP/IP, not 
DTN. Are there any TCP/IP exploits which I can defend against with IP 
header encryption? Man in the middle, IP spoofing, etc?


> The challenging situations where dtn is attractive will probably have
> interactions with the outside world, even though there might not be
> "communication" in the sense of exchanging information. If you have a
> portable radio, it has to deal with every packet in order to find the
> ones of interest. So your community might be closed but, at the lowest
> level, you have to listen to everything. And that's where the trouble starts. 
>   
Yes, I see that. So, I am adding overhead there and have to ask if a) it 
is tolerable in absolute timing terms (but routers do this all the time, 
with MAC address filtering)  and b) the overhead brings be security 
gains in TCP/IP. And, coming from the GSM/ UMTS / Satellite world, I 
don't know enough about TCP/IP security, but am trying to get up to 
speed fast.

Thanks, as always, for your insight.

> Regards.....Peter
>
>
>   


-- 
Technical Director
Leonix Solutions (Pte) Ltd
18 Boon Lay Way
#09-95 TradeHub 21
Singapore 609966
Telephone:+65 6316 9968
Fax: +65 6316 9208