ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] AD review comments for draft-ietf-ipsecme-tra

Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility

From: Yaron Sheffer <yaronf_at_nospam>
Date: Mon Sep 21 2009 - 12:40:19 GMT
To: Tero Kivinen <kivinen@iki.fi>, "Grewal, Ken" <ken.grewal@intel.com>

Hi Tero,

Given that the existing ESP header is integrity-protected, I don't see the downside to adding the same protection for the new header. On the other hand, this would eliminate a whole class of vulnerabilities. We still have a few reserved bits in the WESP header, and you don't want to find out years down the road that they cannot be used because they're not protected in transit.



> -----Original Message-----
> From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of
> Tero Kivinen
> Sent: Monday, September 21, 2009 14:14
> To: Grewal, Ken
> Cc: ipsec@ietf.org; Pasi.Eronen@nokia.com
> Subject: Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-
> visibility
> Grewal, Ken writes:
> > >- A question: did the WG discuss the pros and cons of integrity
> > >protecting the WESP header? (This does make WESP more complex to
> > >implement, and currently the WESP header does not contain any data
> > >that would benefit from integrity protection in any way.)
> > [Ken] This change was the result of a discussion on threats posed by
> > 'malware', which could modify the WESP headers to obfuscate the
> > payload from inspection by intermediate nodes such as IDS/IPS
> > systems.
> > The issue (ticket #104) was raised and closed some time back after
> > lengthy discussions on the topic.
> > http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/104
> As everything in the WESP header is something that can be verified by
> the recipient node why is the integrity protection needed?
> I think it would make implementation WESP much easier if it can be
> done as post processing step after ESP has been applied, in a similar
> way UDP encapsulation can be done to the ESP packet.
> --
> kivinen@iki.fi
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
> Scanned by Check Point Total Security Gateway.

Email secured by Check Point

Email secured by Check Point

IPsec mailing list