Re: [dtn-security] Encrypted IP headers

"Graham Keellings (Leonix Solutions Pte Ltd)" <Graham@LeonixSolutions.com> Wed, 15 July 2009 03:05 UTC

Received: from sky.fastbighost.net (sky.fastbighost.net [76.76.22.153]) by maillists.intel-research.net (8.13.8/8.13.8) with ESMTP id n6F357IL007853 for <dtn-security@maillists.intel-research.net>; Tue, 14 Jul 2009 20:05:07 -0700
Received: from dyn98-b60-access.superdsl.com.sg ([202.73.60.98] helo=[192.9.200.103]) by sky.fastbighost.net with esmtpa (Exim 4.69) (envelope-from <Graham@LeonixSolutions.com>) id 1MQumO-00047F-IO; Tue, 14 Jul 2009 23:03:37 -0400
Message-ID: <4A5D4703.1000002@LeonixSolutions.com>
Date: Wed, 15 Jul 2009 11:03:31 +0800
From: "Graham Keellings (Leonix Solutions Pte Ltd)" <Graham@LeonixSolutions.com>
Organization: Leonix Solutions Pte Ltd
User-Agent: Thunderbird 2.0.0.22 (X11/20090608)
MIME-Version: 1.0
To: Peter Lovell <plovell@mac.com>
References: <89E48AE60E64EF4E8EB32B0B7EC74920A1B0F5@EVS-EC1-NODE2.surrey.ac.uk> <023601c9df2a$694fd5b0$3bef8110$@com> <4A2DF7FD.5020104@LeonixSolutions.com> <3A5AA67A8B120B48825BFFCF5443856137E3553C4B@NDJSSCC03.ndc.nasa.gov> <"029d01c 9e925$1e354880$5a9fd980$"@com> <4A46C257.3040006@LeonixSolutions.com> <"2009062 8050243.1566215671"@smtp.mac.com> <4A46FBB2.3080205@LeonixSolutions.com> <"2009 0628052255.640550503"@smtp.mac.com> <4A470CD7.4010502@LeonixSolutions.com> <"20 090628141313.1532044204"@smtp.mac.com> <4A4878A6.7010707@LeonixSolutions.com> <20090629123400.1726285002@smtp.mac.com> <C304DB494AC0C04C87C6A6E2FF5603DB2217B29183@NDJSSCC01.ndc.nasa.gov> <4A497B04.3070909@LeonixSolutions.com> <20090630122842.1049441707@smtp.mac.com> <4A556063.2010305@LeonixSolutions.com> <20090709041417.302976474@smtp.mac.com> <4A56E1CA.7080000@LeonixSolutions.com> <20090710120958.2016629300@smtp.mac.com> <4A5AA83C.7030400@LeonixSolutions.com> <20090713134603.958934311@smtp.mac.com>
In-Reply-To: <20090713134603.958934311@smtp.mac.com>
Content-Type: multipart/mixed; boundary="------------030900030109090604070404"
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - sky.fastbighost.net
X-AntiAbuse: Original Domain - maillists.intel-research.net
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - LeonixSolutions.com
X-Source:
X-Source-Args:
X-Source-Dir:
Cc: dtn-security@maillists.intel-research.net
Subject: Re: [dtn-security] Encrypted IP headers
X-BeenThere: dtn-security@maillists.intel-research.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DTN Security Discussion <dtn-security.maillists.intel-research.net>
List-Unsubscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=unsubscribe>
List-Archive: <http://maillists.intel-research.net/pipermail/dtn-security>
List-Post: <mailto:dtn-security@maillists.intel-research.net>
List-Help: <mailto:dtn-security-request@maillists.intel-research.net?subject=help>
List-Subscribe: <http://maillists.intel-research.net/mailman/listinfo/dtn-security>, <mailto:dtn-security-request@maillists.intel-research.net?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2009 03:05:07 -0000

Peter Lovell wrote:
> On Mon, Jul 13, 2009, Graham Keellings (Leonix Solutions Pte Ltd)
> <Graham@LeonixSolutions.com> wrote:
>
>   
>> What about this then - is it even feasible? If I know that I have a 
>> closed universe of nodes, can I encrypt the IP headers? That might help 
>> prevent  DOS by repeated pinging.   <snip>
>>
>> Am I on a totally wrong track here? Or could encrypted IP headers be one 
>> more layer of armour?
>>
>>     
>
> I guess this could work for an isolated system, but those are of limited
> interest.
of limited interest ... or extremely secure ;-)

>  Most systems have some interaction with the outside even
> though the community may be a closed one.
>   
Many military, navy, government, financial systems have a hard 
requirement that they do not communicate with the internet (or even with 
anything that does). In my case, I can live with that.

What if you effectively have two devices in one? Say you do your IP 
header en/de-cryption at driver level? Encrypt wifi and not BlueTooth? 
In my case, I can also live with that.


> When faced with a DOS attack, the challenge is to get rid of as many
> packets as possible with the absolute least effort. the question is --
> would encrypting the IP headers help or hinder this ??
>   
An excellent point and a very good question (drat!). Let me think it 
through. At first glance, it seems to add more processing, especially at 
a time-critical low-level. You _might_ save time at higher levels by 
doing so, but the bottle-neck is at the interrupt-handlers/drivers, 
trying to triage the IP packets at the earliest opportunity. I have seen 
devices do this - they are effectively routers. To answer that question, 
I guess I would have to "suck it and see" - code it up and profile it.

Unless anyone else has experience, or even a gut feeling?

Thanks, as always, Peter, for the provocation to thought.
> Regards.....Peter
>
>
>   


-- 
Technical Director
Leonix Solutions (Pte) Ltd
18 Boon Lay Way
#09-95 TradeHub 21
Singapore 609966
Telephone:+65 6316 9968
Fax: +65 6316 9208