ipsec November 2007 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: [IPsec] Re: ESP's use of dummy packets?

[IPsec] Re: ESP's use of dummy packets?

From: Csaba Kiraly <kiraly_at_nospam>
Date: Thu Nov 29 2007 - 22:37:43 GMT
To: Joy Latten <latten@austin.ibm.com>

> Joy Latten wrote:
> RFC 4303 introduces the use of dummy packets within ESP.
> Section 2.6 states,
> A transmitter MUST be capable of generating dummy packets marked
> with this value in the next protocol field, and a receiver MUST be
> prepared to discard such packets, without indicating an error.
> However, it is not clear to me whether an IPsec/ESP implementation
> use this feature. That is, it MUST send out dummy packets at random
> intervals or in a way to shape the traffic. I interpreted the
> above statement to mean that an implementation must only have the
> capability.
> That's correct.
> You had better be able to discard them if the other end sends them,
> though.
> Which means you'll have to test that. Which means that you'll have to
> find a way to generate them in your lab... so it means that you'll
> wind up having to implement it anyway.

Dear Joy,

If you need dummy generation in Linux, we have an open source implementation in the kernel for our Traffic Flow Confidentiality protocol. I'm quite sure it can easily be transformed into an RFC 4303 compliant one.

Since this list is not intended to discuss implementations, I'm just pointing you to
http://minerva.netgroup.uniroma2.it/discreet/wiki/TfcProject and of course feel free to contact me directly for a patch.

I would also like to take the occasion to say that we have made some efforts to extend the Traffic Flow Confidentiality capabilities of IPsec. In our research we were trying to create a separate TFC security protocol, which goes beyond the limited TFC capabilities that were already included in ESPv3. We have included support for size modifications such as padding (with explicit payload size information), fragmentation and aggregation. It also supports packet re-timing, as well as dummy generation and discarding. Finally, the choice of the masking algorithm combining one or more of these basic tools is handled separately.

Of course these are just initial steps, and the same ideas can be imagined as part of ESP as well. If there is still interest in the list for TFC, I would be really glad to discuss ideas!

Best regards,

IPsec mailing list