[Hipsec-rg] next steps with draft-heer-hip-middle-auth-00

[julien.IETF at laposte.net (Julien Laganier)]

On Thursday 24 January 2008, Julien Laganier wrote:
> On Wednesday 23 January 2008, Miika Komu wrote:
> > Hi Julien,
> >
> > I didn't get the point with statefull firewalls, can you clarify?
> > The SPI field is integrity protected. Also, a fake base exchange
> > (to create a fake ESP channel) can pass all ACL checks in the
> > firewall if the firewall does not check signatures in a mobile
> > environment.
>
> Hi Miika,
>
> The midbox cannot verify that the ESP packet originates from a node
> that participated in the BEX. It only verify that the ESP SPI was
> included in the base exchange, but there is no strong (cryptographic)
> validation of data origin at the midbox for ESP.
>
> Since in the end no strong guarantee on the ESP data origin is
> provided, IMHO it seems that the (strong) validation of BEX
> signatures by midboxes hasn't much value. Security strength is
> determined by the strength of each element of the chain. Here the
> last element is weak (looking at SPI without verifying data origin)
> thus I'm not convinced about the strength of the mechanism.

...and consequently I don't see a need to make BEX inspection security 
even stronger (Tobia's proposal) since the weak admission control of 
ESP packets will remain.

Again, I think we should discuss first what is the security service we 
want to provide (e.g. admission control), and requirements we place, 
before entering solution space.

--julien