Hey Ashok, thanks for your feedback.
For your first comment I tend to agree and I think we can add this to the draft! For the second, I agree with your assumption that tunnels might appear in constrained scenarios (it’s actually one of our main goals for ipsec/esp). However, I’m not sure if this recommendation to not use fragmentation is valid on a security side, why I’d like to give the question to the ipsecme WG, if that does not open any other security issues? Or if there is anything else to consider on that? Thanks Tobias Von: Raja ashok [mailto:raja.as...@huawei.com] Gesendet: Freitag, 14. Juli 2017 16:22 An: draft-mglt-lwig-minimal-...@ietf.org Cc: l...@ietf.org Betreff: Suggestions in draft-mglt-lwig-minimal-esp Hi Daniel & Tobias, I gone through the lwIG draft for ESP. I am having some doubts and suggestions which are listed below. Please check and provide your comments. 1) For replay protection, RFC 4303 suggests to use 32 or 64 bit window. I feel in this draft, we can recommend to use 32 bit window for replay protection. 2) Tunneled ESP msg with fragmented IP header (in ESP payload) may leads to DoS vulnerability for a constraint receiver. RFC 4303 is suggesting this fragmentation as optional. So I feel we can mention as fragmentation and reassembly is not required to support in tunneled IP header. As it can be handled by the IP header which carries ESP msg. I hope tunneled ESP msg might be required in some scenarios of constraint devices also. Regards, Ashok _____ Raja Ashok V K Huawei Technologies Bangalore, India http://www.huawei.com _____ 本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群 组。禁 止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮 件中 的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件! This e-mail and its attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it!
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec