ipsec: Re: [IPsec] AD review comments for draft-ietf-ipsecme-tra
Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility
From: gabriel montenegro <g_e_montenegro_at_nospam>
Date: Tue Oct 13 2009 - 21:07:04 GMT To: Yaron Sheffer <firstname.lastname@example.org>, Tero Kivinen <email@example.com>, "Grewal, Ken" <firstname.lastname@example.org>
Just to make sure this does not fall through the cracks: we've submitted rev 09 last week to address
the AD review comments per discussion on the mailing list and at the virtual interim.
Original Message ----
> From: Yaron Sheffer <email@example.com> > To: Tero Kivinen <firstname.lastname@example.org>; "Grewal, Ken" <email@example.com> > Cc: "firstname.lastname@example.org" <email@example.com>; "Pasi.Eronen@nokia.com" <Pasi.Eronen@nokia.com> > Sent: Mon, September 21, 2009 5:40:19 AM > Subject: Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility > > Hi Tero, > > Given that the existing ESP header is integrity-protected, I don't see the > downside to adding the same protection for the new header. On the other hand, > this would eliminate a whole class of vulnerabilities. We still have a few > reserved bits in the WESP header, and you don't want to find out years down the > road that they cannot be used because they're not protected in transit. > > Thanks, > Yaron > > > -----Original Message----- > > From: firstname.lastname@example.org [mailto:email@example.com] On Behalf Of > > Tero Kivinen > > Sent: Monday, September 21, 2009 14:14 > > To: Grewal, Ken > > Cc: firstname.lastname@example.org; Pasi.Eronen@nokia.com > > Subject: Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic- > > visibility > > > > Grewal, Ken writes: > > > >- A question: did the WG discuss the pros and cons of integrity > > > >protecting the WESP header? (This does make WESP more complex to > > > >implement, and currently the WESP header does not contain any data > > > >that would benefit from integrity protection in any way.) > > > [Ken] This change was the result of a discussion on threats posed by > > > 'malware', which could modify the WESP headers to obfuscate the > > > payload from inspection by intermediate nodes such as IDS/IPS > > > systems. > > > The issue (ticket #104) was raised and closed some time back after > > > lengthy discussions on the topic. > > > http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/104 > > > > As everything in the WESP header is something that can be verified by > > the recipient node why is the integrity protection needed? > > > > I think it would make implementation WESP much easier if it can be > > done as post processing step after ESP has been applied, in a similar > > way UDP encapsulation can be done to the ESP packet. > > -- > > email@example.com > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > > > Scanned by Check Point Total Security Gateway. > > Email secured by Check Point > > Email secured by Check Point > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec