Jack,
Thanks for describing the additional selection criteria that must be
employed to avoid the problem I cited.
Given this more complete description of the selection criteria, I am
not convinced that that is a significant benefit for using WESP in
this context.
- Whether using WESP or just ESP-NULL, the router needs to
determine that the packet is addressed to it. This means looking for
either a unicast address (per interface?) or a multicast address. I
thought that the traffic of interest would arrive on a multicast
address. If so, then this is a very easy check.
- Traffic other than OSPF can be addressed to the router, but
I'm not sure what other traffic would be multicast. For unicast
traffic addressed to the router, if some of that is protected using
ESP with confidentiality, then the address check might have to be
extended to include a source address as well.
- There is an assumption that the OPSFv3 traffic is
(ultimately) protected using ESP-NULL. The next check that you
described, i.e., looking for a few bits that indicate whether the
payload is OSPF and appears to be a HELLO or ACK, is the real focus
of this thread. There appears to be a couple of cases:
- If all multicast traffic directed to the router and
protected using ESP is ESP-NULL, then WESP seems to help ONLY if
there are algorithms being used for different SAs, AND if those
algorithms result in different offsets for the start of the ESP-NULL
payload. It's not clear that this is a realistic case. But, in this
case, using WESP could avoid the need to check the SPI in the packet.
What's not clear is whether checking for WESP and extracting the
offset info is faster than matching against a set of SPIs.
- if some multicast traffic directed to the router is
protected with ESP with confidentiality, in addition to the ESP-NULL
OSPF traffic, then one would need to check SPI values to
differentiate between these two classes of traffic.
So, the question of whether we have one multicast SA for this
traffic, or potentially a lot of these SAs is potentially relevant.
As I mentioned in my previous message, this is not completely clear
to me from 4552. You didn't respond to that part of my message, so I
don't know if that means you find the RFC unclear on this point as
well, or if you didn't think it mattered to this discussion. Well, if
appears to matter, if one believes that the number is substantial.
So, the bottom line appears to be that WESP might be better than just
using ESP-NULL, depending on the number of multicast SAs that
terminate at the router, that make use of ESP, and maybe whether the
ones that use ESP make use of different integrity algorithms that
result in different offsets. That is a lot of IFs for which we have
yet to get an answer.
In any case, as I noted earlier, because of the use of manual keying
in this context, selecting a subset of packets for out-of-order
processing does not impose any burden on the IPsec for the remaining
packets, so all of the comments about that issue were red herrings.
Steve
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec