ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] AD review comments for draft-ietf-ipsecme-tra

Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility

From: Tero Kivinen <kivinen_at_nospam>
Date: Mon Sep 21 2009 - 11:13:45 GMT
To: "Grewal, Ken" <ken.grewal@intel.com>


Grewal, Ken writes:
> >- A question: did the WG discuss the pros and cons of integrity
> >protecting the WESP header? (This does make WESP more complex to
> >implement, and currently the WESP header does not contain any data
> >that would benefit from integrity protection in any way.)
> [Ken] This change was the result of a discussion on threats posed by
> 'malware', which could modify the WESP headers to obfuscate the
> payload from inspection by intermediate nodes such as IDS/IPS
> systems.
> The issue (ticket #104) was raised and closed some time back after
> lengthy discussions on the topic.
> http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/104

As everything in the WESP header is something that can be verified by the recipient node why is the integrity protection needed?

I think it would make implementation WESP much easier if it can be done as post processing step after ESP has been applied, in a similar way UDP encapsulation can be done to the ESP packet. -- kivinen@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec