Peter Trei wrote... "Durden's question was whether a snooper on an IPSEC VPN can tell (for example) an encrypted email packet from an encrypted HTTP request. The answer is no. All Eve can tell is the FW1 sent FW2 a packet of a certain size. The protocol of the encapsulated IP packet, it's true source behind FW1, it's true destination behind FW2, and the true destination port are all hidden." Yes, this was indeed the gist of my question. I was aware that there are actually hard and soft switches that are aware all the way up to the application layer, apparently (I also know that some softswiches have actually been deployed in RBOC/Baby Bell territory.) But from your previous email, you indicated that the secure IPSEC tunnel is created by taking the packets, encrypting S/A, D/A, payload and protocol fields (ie, pretty much everything) and then dumping them into the payload of another packet, and setting the Protocol field of the parent-packet to "IPSEC". All that is now visible are the firewall addresses. That's a lot, methinks! In other words, there's practically a bright red flag sticking up saying "I'm encrypted! Look over here!"...it's child's play (well, if you consider making an ASIC child's play!) to then look at the S/A and D/a to see if they are interesting. If they belong to the IP spaces of two large companies, for instance, then look elsewhere (though I hear rumors that the NSAs of the world are branching out into industrial eavesdropping for their parent companies, ehr, for their parent countries). If a secure VPN tunnel forms between al-Jazeera's firewall and, say, some ISP near Atlantic Avenue in Brooklyn (heavy Arab community), then all sorts of spyglasses could pop up. Thus, I suspect a lot can be gleaned (and is) from communiques without actually de-encrypting...the philosohpy probably is, "why violate civil rights unless we really, really have to? Extract as much as we can without actually de-encrypting, and if the probably of something being "interesting" is high enough, then we'll send it downstairs to be opened" (and even then, determining how hard it is to open the communique might also be of interest...is it legal to open somebody else's email but not read it?) Here's a little quote for ya, since it seems to be the in-thing to do... "The revolution is right where we want it: out of our control." (Royal Family and the Poor)
From: "Trei, Peter" <ptrei@rsasecurity.com> To: cypherpunks@lne.com, "'Major Variola (ret)'" <mv@cdc.gov> Subject: RE: What email encryption is actually in use? Date: Mon, 4 Nov 2002 12:58:55 -0500
Major Variola (ret)[SMTP:mv@cdc.gov]
At 10:13 AM 11/4/02 -0500, Tyler Durden wrote:
This is an interesting issue...how much information can be gleaned from
encrypted "payloads"?
Traffic analysis (who, how frequently, temporal patterns) Size of payload
Is it possible for a switch or whatever that has
visibility up to layers 4/5/6 to determine (at least) what type of file is being sent?
Yes.
Modern network equiptment can examine all the way up to "layer 7". Can tell that you're sending an .mp3 and will cut your QoS, if that's the policy.
Durden's question was whether a snooper on an IPSEC VPN can tell (for example) an encrypted email packet from an encrypted HTTP request.
The answer is no.
All Eve can tell is the FW1 sent FW2 a packet of a certain size. The protocol of the encapsulated IP packet, it's true source behind FW1, it's true destination behind FW2, and the true destination port are all hidden.
Peter
_________________________________________________________________ Unlimited Internet access -- and 2 months free! Try MSN. http://resourcecenter.msn.com/access/plans/2monthsfree.asp