[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

RE: [Openvpn-users] IPSec vulnerability

Subject: RE: [Openvpn-users] IPSec vulnerability
From: chosner@xxxxxxxxxxxxxxxxx
Date: Wed, 11 May 2005 14:42:59 -0400 (EDT)

Like Rick says, OpenVPN uses an "ESP in Tunnel mode LIKE" structure.  I'm 
pretty sure it's not a problem since integrity control is applied at the 
same level as confidentiality control, resulting in errors in one or both 
being easier to couple together by the security control.  IPSec ESP in 
Tunnel mode without integrity uncouples these two, allowing confidentialy 
to happen at a lower OSI layer, and relying on a higher layer, post 
decryption, to handle integrity.  I think that is the crux of the problem.  
OpenVPN is doing both in a coupled fashion at the same layer making it 
harder to use one control to fool the other.  I would like to hear from 
others who can confirm my assessment, or explain it better.  I'd sum it up 
at "don't decrypt your data at layer 2, then hand it up to layer 4-7 for 
integrity checking, and if you do, don't return error messages with 
anything other than generic data in them."  

Perhaps another potential weakness of protocol/kernel coupling and the 
danger of using complex protocols for security controls.

c

On Wed, 11 May 2005, Tibbs, Richard wrote:

> OpenVPN uses ESP.
> Rick.
> 
> -----Original Message-----
> From: openvpn-users-admin@xxxxxxxxxxxxxxxxxxxxx
> [mailto:openvpn-users-admin@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Jim
> Drash
> Sent: Wednesday, May 11, 2005 2:14 PM
> To: Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> Subject: Re: [Openvpn-users] IPSec vulnerability
> 
> On 5/11/05, Charlie Hosner <chosner@xxxxxxxxx> wrote:
> > This looks kind of nasty
> > http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en
> > 
> > I'm still reading the fine print.  BRB
> 
> Since OpenVPN does not use IPSec this has nothing to do with OpenVPN. 
> I am curious as to why this was posted to this list.  Was it just an
> FYI?
> 
> -- Jim D.
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_ids93&alloc_id281&op=ick
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by Oracle Space Sweepstakes
> Want to be the first software developer in space?
> Enter now for the Oracle Space Sweepstakes!
> http://ads.osdn.com/?ad_ids93&alloc_id281&opÌk
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Follow-Ups:
- RE: [Openvpn-users] IPSec vulnerability
  - From: James Yonan

References:
- RE: [Openvpn-users] IPSec vulnerability
  - From: Tibbs, Richard

Prev by Date: RE: [Openvpn-users] IPSec vulnerability
Next by Date: Re: [Openvpn-users] IPSec vulnerability
Previous by thread: RE: [Openvpn-users] IPSec vulnerability
Next by thread: RE: [Openvpn-users] IPSec vulnerability
Index(es):
- Date
- Thread