[Openswan Users] left/rightsendcert=always questions

[Michael Richardson]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Ken" == Ken Bantoft <ken at xelerance.com> writes:
    Ken> however people have raised concerns that it's a security hole, as you 
    Ken> 'leak' data to anyone who initiates an IPsec connection to you.

  They can get the info if they want, however, they have to reveal their
identity first.

  The reason for ifasked= is because of UDP packet size issues.

  This is a real issue - we have seen situations where UDP fragments
were filtered. Secondly, if one can avoid ever fragmenting IKE packets
(and block all fragments!) then fragmentation attacks won't be
possible.   Fragmentation attacks can consume significant system
resources - one of the major ways to defend against them is to use
IPsec!  
  So, if IKE is vulnerable to this, then there is a chicken and egg
situation. 

- --
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQKUY+IqHRg3pndX9AQHCfgQA4dJREZpB6oTbhSFEk3qz45qY2AmspXTN
6nTao8cJghSSo+BzgJO8IEC7tPEb62GshQaMhLHaX0iiN/5j1a8YpLoQPxMU7dMQ
mfXYk1AZFp5jYihdBfGI/98fmNM4O1kfhRvse2zm9G5f3chBCp15MDeXrEgdwQqg
awA07ANLzmw=
=LjlZ
-----END PGP SIGNATURE-----