IETF Logo Mail Archive

Re: [OPSEC] minutes part 2

"Darrel Lewis (darlewis)" <darlewis@cisco.com> Thu, 18 December 2008 19:59 UTC

Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5FEF73A6B57; Thu, 18 Dec 2008 11:59:55 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5116A3A6B57 for <opsec@core3.amsl.com>; Thu, 18 Dec 2008 11:59:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.024
X-Spam-Level:
X-Spam-Status: No, score=-6.024 tagged_above=-999 required=5 tests=[AWL=0.575, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Q3w49JNlQ9y for <opsec@core3.amsl.com>; Thu, 18 Dec 2008 11:59:53 -0800 (PST)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 62CA83A69F3 for <opsec@ietf.org>; Thu, 18 Dec 2008 11:59:53 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.36,244,1228089600"; d="scan'208";a="116896296"
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-2.cisco.com with ESMTP; 18 Dec 2008 19:59:46 +0000
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id mBIJxiiL026783; Thu, 18 Dec 2008 11:59:44 -0800
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id mBIJxiuD028584; Thu, 18 Dec 2008 19:59:44 GMT
Received: from xmb-sjc-218.amer.cisco.com ([171.70.151.151]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 18 Dec 2008 11:59:44 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Thu, 18 Dec 2008 11:59:24 -0800
Message-ID: <60C4A248E730F249990993E3B9BD44D806E3789A@xmb-sjc-218.amer.cisco.com>
In-Reply-To: <7C362EEF9C7896468B36C9B79200D83547FFA2C1@INBANSXCHMBSA1.in.alcatel-lucent.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [OPSEC] minutes part 2
thread-index: Aclfs/clIhIpv118Rhio/6cdbJm1uwBTlZWwABH4ktA=
References: <EC3F7E1D-F7C8-484A-A0C0-1A25E79AD86E@extremenetworks.com><77ead0ec0812160927j77bf42c6mbccef8ccf55d1e16@mail.gmail.com><90F75653-21D6-4D2B-9472-52F2BDF7510D@gmail.com> <7C362EEF9C7896468B36C9B79200D83547FFA2C1@INBANSXCHMBSA1.in.alcatel-lucent.com>
From: "Darrel Lewis (darlewis)" <darlewis@cisco.com>
To: "Bhatia, Manav (Manav)" <manav@alcatel-lucent.com>, rja@extremenetworks.com, opsec wg mailing list <opsec@ietf.org>
X-OriginalArrivalTime: 18 Dec 2008 19:59:44.0464 (UTC) FILETIME=[2BF44500:01C9614B]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1430; t=1229630384; x=1230494384; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=darlewis@cisco.com; z=From:=20=22Darrel=20Lewis=20(darlewis)=22=20<darlewis@cisc o.com> |Subject:=20RE=3A=20[OPSEC]=20minutes=20part=202 |Sender:=20; bh=Q6+SpKG91KVJMBGTr5H++E4hY9gfk+XfAqGfZGkbkuU=; b=ivhPEULp2dcUw/2UmoD4eOwKcwhF2+IJ57N3Fi4btIxa7LmIC/O+lkH25h rQ2FJvlw4xaSHA8oaDGxrxZbj9OKkKoSTj5YkkiUL6+0qV60p993Nba9xymh rB95c80W7P;
Authentication-Results: sj-dkim-4; header.From=darlewis@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Subject: Re: [OPSEC] minutes part 2
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org

 
> Hi Ran,
>  
> > On  16 Dec 2008, at 12:27, Vishwas Manral wrote:
> > > Thanks for the information about insider attacks. I have
> > raised issues
> > > with using IPsec ESP for OSPFv3 protection about 3 years 
> back, as we 
> > > cannot block packets in all such cases (as the firewall 
> may not know 
> > > of the contents inside the ESP packet).
> > 
> > Your claim above is not obvious.
> > Please explain when/why you believe the claim above is true.
> 
> It is impossible for firewalls and intermediate routers to 
> differentiate between encrypted ESP and ESP NULL packets by 
> simply examining them because of the way ESP is defined. This 
> poses problems for the firewalls since such packets (OSPFv3) 
> cannot be filtered and identified. 
> 

If this discussion is specific to ISPs needing to prevent customers from
attacking their IGP, then you are (I think) mistaken in specifying the
need for PE routers who implement infrastructure access control to
examine the data inside the packets.  There is no reason (aside from
lack of filtering features/performance on the PE) that a service
provider should let customer originated ESP packets be forwarded toward
its infrastructure.

If this is a more general discussion about network filtering of
ospfv3/ESP packets and intra-enterprise firewalling, then yes, I guess
it could be problematic.

-Darrel

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org
https://www.ietf.org/mailman/listinfo/opsec

v2.23.0 | Report a Bug | By Email