>
> > I have a quick question. I was told that numerous firewalls out on the
> > market advertise that they can secure udp and rpc connections. I have also
> > been told that it is impossilbe to make udp or rpc secure unless using
> > point-to-point encryption. Is this true and if so why is it that they can
> > not be made secure? Also could someone point me in the right direction to
> > learn more about point-to-point encrption...ie current products,algorithms
> > used...etc.
>
> How secure is `secure'??
>
> It's very easy to forge clear text UDP messages (eg. insert one
> additional message in an ongoing UDP conversation) without any way
> for the destination to recognize this (at the UDP layer).
>
> It's more difficult to do this with TCP, as you have to get the
> sequence number(s) right (at the right time).
>
> BUT ... this is only `more difficult', not 100% secure. Such
> attacks have been observed and are usally called `hijacking' or
> `tcp splicing'.
>
> Encryption can help with both TCP and UDP.
>
> Some people can accept the risk of forged cleartext UDP messages,
> others can't accept the risk of hijacks of encrypted TCP sessions.
>
> You have to decide for yourself.
>
> \Bernhard.
>
You are asking for IP authentication and/or encryption. IPsec WG is doing that job. Look at RFC 1825, 1826, 1827, 1828, .. and current drafts: draft-ietf-ipsec-*. You can find them at ds.internic.net or in your local NIC. Also in:
http://www.ietf.cnri.reston.va.us/html.charters/ipsec-charter.html
----------------------------------------------------
Luis Saiz Gimeno
saiz @
gc .
ssr .
upm .
es
----------------------------------------------------
Crypto can't create trust. It merely automates the trust that
already exists for other reasons.
--John Gilmore
|
|
