Re: remote kernel debugging over a network

[Steven Bellovin <smb%cs.columbia.edu@localhost>]

On Jun 6, 2010, at 11:51 33AM, der Mouse wrote:

>>>>> IPKDB used [...].  [...] easy to support a single IPsec ESP [...]
>>>> [...]
>>> [...]
>> I must say, though, that the more I think about it, the more I'm
>> concerned about replay attacks.  You suggested that ESP replay
>> prevention be disabled, and that is in fact consistent with the ESP
>> specs when static keys are used.  I think we need to think, hard,
>> about what we want to do here.
> 
> You are beginning to see, maybe, why I prefer something _not_ built
> atop IP.  It's a lot easier to ignore this kond of threat when you
> don't have to even think about anything beyond the local layer-2
> broadcast domain.  While of course nothing is perfect, I think the
> number of cases where you want the routability of IP but have nothing
> on the local broadcast domain that can proxy is small enough that the
> cost of writing them off outweighs the cost of dealing with the issues
> that using IP raises.

Oh, your reasoning was obvious from the very beginning, but the disadvantages 
are obvious, too.  Proxies raise their own set of issues.

                --Steve Bellovin, http://www.cs.columbia.edu/~smb