|Main Archive Page > Month Archives > ipsec archives|
Grewal, Ken writes:
> >- A question: did the WG discuss the pros and cons of integrity
> >protecting the WESP header? (This does make WESP more complex to
> >implement, and currently the WESP header does not contain any data
> >that would benefit from integrity protection in any way.)
> [Ken] This change was the result of a discussion on threats posed by
> 'malware', which could modify the WESP headers to obfuscate the
> payload from inspection by intermediate nodes such as IDS/IPS
> The issue (ticket #104) was raised and closed some time back after
> lengthy discussions on the topic.
As everything in the WESP header is something that can be verified by the recipient node why is the integrity protection needed?
I think it would make implementation WESP much easier if it can be done as post processing step after ESP has been applied, in a similar way UDP encapsulation can be done to the ESP packet. -- email@example.com _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec