|Main Archive Page > Month Archives > ipsec archives|
Grewal, Ken writes:
> [Ken] I agree that one cannot just trust the bit, but it can provide the
> firewall (or IDS/IPS system) with enough knowledge to determine if it
> can successfully scan the payload inside the packet.
As there cannot be any encrypted traffic you would like the get through in that case, you can simply continue inspecting the traffic. There is very few different valid ESP-NULL algorithms commonly in use, and in enterprice case you most likely enforce exactly one (or perhaps two) algorithms, thus you already know offset and such for the legimite traffic. So you simply start inspecting data from there, and if it does not look like plain text IP-packet you throw the packet away based on the fact that it was either encrypted, or used non-approved ESP-NULL algorithm or it was just some kind of attack.
As the algorithms for the same SPI + IP-address pair cannot change on the fly, you can also do this heuristic check only for the first packet for each seen SPI + IP-address pairs (and perhaps after IKE SA creation, just in case other end decided to select exactly IPsec SPI for the first child SA they are creating after crash, reusing same SPI for rekeys is not allowed).
As the device will most likely do stateful inspection anyways, it will be storing much more state information from the TCP sessions run inside the ESP-NULL SA than what it needs to store for the SPI... -- firstname.lastname@example.org _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec