ipsec October 2011 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] [TICTOC] Review request for IPsec security fo

Re: [IPsec] [TICTOC] Review request for IPsec security for packet based synchronization (Yang Cui)

From: Nico Williams <nico_at_nospam>
Date: Tue Oct 18 2011 - 19:20:01 GMT
To: Kevin Gross <kevin.gross@avanw.com>

On Tue, Oct 18, 2011 at 1:57 PM, Kevin Gross <kevin.gross@avanw.com> wrote:
> I suppose there is a possible selective attack vector here based on messing
> with packets based on their length and transmission timing. It's an
> interesting topic but I don't think that was the intended topic of this
> discussion. We want to figure out how/if can we make clock distribution work
> through an IPSec connection. I guess your point is that an "IPSec
> connection" should be defined as an IPSec connection _under active attack_.
> I'm afraid not qualified to assess these larger-picture security questions.

[Nit: it's IPsec, not IPSec.]

There's no such thing as an "IPsec connection". (The closest to that
would be RFC5660.)

I don't understand what it is about IPsec that makes it difficult or
impossible to distribute time ("[w]e want to figure out how/if we can
make clock distribution work through [IPsec]"). My guess is that you
are referring to IPsec processing latency, but that's only a guess.

Nico
-- _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec