Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility

Grewal, Ken writes:
> >- A question: did the WG discuss the pros and cons of integrity
> >protecting the WESP header? (This does make WESP more complex to
> >implement, and currently the WESP header does not contain any data
> >that would benefit from integrity protection in any way.)
> [Ken] This change was the result of a discussion on threats posed by
> 'malware', which could modify the WESP headers to obfuscate the
> payload from inspection by intermediate nodes such as IDS/IPS
> systems.
> The issue (ticket #104) was raised and closed some time back after
> lengthy discussions on the topic.
> http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/104

As everything in the WESP header is something that can be verified by the recipient node why is the integrity protection needed?

I think it would make implementation WESP much easier if it can be done as post processing step after ESP has been applied, in a similar way UDP encapsulation can be done to the ESP packet. -- kivinen@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec

• This message: [ Message body ]
• Next message: Tero Kivinen: "Re: [IPsec] #28: Obtaining src/dest IP addresses for UDP-encapsulated transport mode ESP"
• Previous message: Yoav Nir: "[IPsec] Fwd: I-D Action:draft-nir-ipsecme-ipsecha-00.txt"
• In reply to: Grewal, Ken: "Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility"
• Next in thread: Yaron Sheffer: "Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility"
• Reply: Yaron Sheffer: "Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility"

• Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]