Re: IS DoS security solution is IPSEC?

cranium.2003_at_gmail.com
Date: 05/04/05 

Date: 4 May 2005 06:37:52 -0700

Walter Roberson wrote:
> In article <1115053865.175014.225550@l41g2000cwc.googlegroups.com>,
> <cranium.2003@gmail.com> wrote:
> : Sorry but confused about how encryption used in IPSec. I
read
> :about IKE used to exchange keys for encryption. But not able to find
> :how these keys are utilized in IPSec. what happen to ciphertext
created
> :when used DES( when applied Symmetric shared key to IP datagram)
>
> Once the keys are negotiated, usually the -effective- encryption
> keys change for every packet, by adding a packet sequence number
> on to the end of the fixed key and encrypting the message body with
> that, and sending the headers and the encrypted body.
>
> The other end knows what packet sequence number it expects, and it
> knows the fixed key, so it knows which composite key to use to
> decrypt the message body. And once it has successfully received the
> packet, it increments the internal sequence number, so the next
packet
> around it will use a different decryption key.
>
> The sequence numbers are kept track of independantly for transmitting
> and receiving.
>
>
> : Also whats difference between true entropy vs. pseudo random
> :entropy?
>
> With pseudo-random keys, you have a starting value and some algorithm
> for computing the next random key byte in sequence. Some fancy things
> can be done, but ultimately you run across the problem that if one
> knows the type of algorithm being used, then even though one does not
> know the exact parameters (constants) in use, one can gather enough
> data to be able to back-compute the parameters. Once that has
happened,
> one knows all the future numbers that will be produced, and one
> can read all of the message after that.
>
> With true randomness, no amount of knowledge of what has gone before
> will allow you to predict what the next value will be, so one is not
> able to read the message. The problem with this is that the other end
> doesn't know what the random value to use is either, not unless the
> list of random values has been transported to the other end through
> some -other- means [e.g., diplomatic courier with the case rigged to
> explode if it is not unlocked -exactly- the right way.] And that's
> a "key distribution problem". Obviously you don't want to be
> having to send a bonded courier with a random number list to every
> web site you want to visit.
> --
> "Who Leads?" / "The men who must... driven men, compelled men."
> "Freak men."
> "You're all freaks, sir. But you always have been freaks.
> Life is a freak. That's its hope and glory." -- Alfred Bester,
TSMD

Hello Walter,
Again got two IPSec question.
1) In AH protocol mutable IPv4 fields that cannot be proteted are
Type of Service (TOS)
Flags
Fragment offset
TTL
Header Checksum
         So that mean when MAC hash is calculated those fileds are
removed.
So i want to ask that mean packet is crosscheked only at end points of
communication?
Because when in path packet goes through Router to Router then adjecent
routers
 have same hash at sending router1 routine and receiving routine then
why not to include those fields?
or its the case that routers only forward packet by checking IP header
destination address?

2) Does IPSec is really vulnerable to man in middle attacks? if its
possible then when packet reaches to application layer of end system,
end system drops the packet in HMAC calcualation?
Is that right?

Relevant Pages

  • Re: UPNP/SSDP
    ... otherwise it's just a glorified packet filter with a set of rules. ... neither a NAT nor a router are referred to as packet filters. ... a NAT router for broadband internet does not do this, ... router to route traffic b/w two or more private networks and the internet. ...
    (microsoft.public.windowsxp.general)
  • Re: Nmap questions concering my router
    ... has only one interface, ... as having a chunk of space in the computer much like a hotel room. ... >is) directly connected to my router, which i dont set up a NAT yet. ... Which IP address is the packet addressed to? ...
    (comp.security.firewalls)
  • Re: IIS5 Passive FTP Networking problem (long)
    ... or do away with the router entirely (and the hardware based ... > had the ability to run an FTP server behind it without changing the IP ... The NAT changes the PASV response ... translate the address fields of a packet. ...
    (microsoft.public.inetserver.iis.security)
  • Re: MSS on router, why?
    ... The proper way to describe the ICMP packet which is supposed to be ... returned by a router which cannot forward the IP packet which is too ... Because ICMP was defined before Path MTU Discovery (1981 and 1990 ... fragmentation and try to use path MTU discovery, ...
    (comp.dcom.sys.cisco)
  • Re: Nmap questions concering my router
    ... Ah, but the packet is being sent to an application running on the router, ... not the web server on your LAN. ... we separate LAN from LAN as well as ...
    (comp.security.firewalls)
Quantcast