Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility

Mon, 21 Sep 2009 05:40:38 -0700 

Hi Tero,

Given that the existing ESP header is integrity-protected, I don't see the 
downside to adding the same protection for the new header. On the other hand, 
this would eliminate a whole class of vulnerabilities. We still have a few 
reserved bits in the WESP header, and you don't want to find out years down the 
road that they cannot be used because they're not protected in transit.

Thanks,
        Yaron

> -----Original Message-----
> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of
> Tero Kivinen
> Sent: Monday, September 21, 2009 14:14
> To: Grewal, Ken
> Cc: ipsec@ietf.org; pasi.ero...@nokia.com
> Subject: Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-
> visibility
> 
> Grewal, Ken writes:
> > >- A question: did the WG discuss the pros and cons of integrity
> > >protecting the WESP header? (This does make WESP more complex to
> > >implement, and currently the WESP header does not contain any data
> > >that would benefit from integrity protection in any way.)
> > [Ken] This change was the result of a discussion on threats posed by
> > 'malware', which could modify the WESP headers to obfuscate the
> > payload from inspection by intermediate nodes such as IDS/IPS
> > systems.
> > The issue (ticket #104) was raised and closed some time back after
> > lengthy discussions on the topic.
> > http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/104
> 
> As everything in the WESP header is something that can be verified by
> the recipient node why is the integrity protection needed?
> 
> I think it would make implementation WESP much easier if it can be
> done as post processing step after ESP has been applied, in a similar
> way UDP encapsulation can be done to the ESP packet.
> --
> kivi...@iki.fi
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec
> 
> Scanned by Check Point Total Security Gateway.

Email secured by Check Point

Email secured by Check Point
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to