At 6:17 AM +0530 12/29/09, Jack Kohn wrote:
Are you suggesting that ESP ICV should not cover the WESP fields?
I think, and my memory could be failing me, that this was discussed in
the WG before this got added to the draft.
Jack
I am suggesting that WESP should be cleanly layered, in one of two ways:
- do not interfere with the ESP ICV computation (be
unauthenticated, for the reasons already noted by Tero and Russ)
- incorporate the necessary info from the ESP header and not
replicate the ESP structure, i.e., become a full-fledged alternative
to ESP-NULL (not for ESP when confidentiality is employed) when end
systems are configured to expose encapsulated header info to middle
boxes.
The current design is a hybrid that imposes undue complexity on IPsec
implementations.
Steve
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
