Re: [IPsec] Next Header field in WESP header

Thu, 14 May 2009 02:12:55 -0700 

Hi Tero,

I agree that the HdrLen and TrailerLen fields MUST be 0 for encrypted WESP.
So yes, we use WESP for encrypted traffic to get:

- Extensibility (with the 8-bit Flags field).
- A single protocol that can do both cases.

Thanks,
        Yaron

> -----Original Message-----
> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
> Tero Kivinen
> Sent: Thursday, May 14, 2009 12:02
> To: gabriel montenegro
> Cc: ipsec@ietf.org; Bhatia, Manav (Manav); Stephen Kent
> Subject: Re: [IPsec] Next Header field in WESP header
> 
> gabriel montenegro writes:
> > Perhaps we need more details on what exactly we mean by "the
> > endpoint thus must verify the sanity of the WESP header before accepting
> > the packet"? And the action to drop the offending packet?
> 
> Yes. I think we need very specific rules with MUSTs in them to say
> that packet MUST be dropped if ESP-NULL packet has Next header field
> in WESP header which do not match the real Next Header field in the
> end. Also final recipient MUST check that the HdrLen or TrailerLen
> fields in the WESP header match the negotiate SA and MUST drop the
> packet if they do not match.
> 
> Next question is what values are used for HdrLen and TrailerLen if
> encrypted ESP is used. If we use real values we do leak out
> information, but on the other hand there is no point of giving that
> information out as middle nodes cannot do anything with it.
> 
> Actually what are we trying to do if we send encrypted ESP with WESP
> wrapper. If we are just making so that we can extend the WESP header
> in the future, isn't the version bits enough for that? I mean if we do
> not know why someone would want to use WESP encoding for encrypted ESP
> now, why do we allow it?
> --
> kivi...@iki.fi
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
> 
> Scanned by Check Point Total Security Gateway.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to