Hi, Ole, On 02/11/2013 06:42 PM, Ole Troan wrote: >>> I think that would be OK. Certainly it MUST NOT be more than >>> those 8 bytes, because beyond there lies encrypted bits (in the >>> general case). >> >> Quickly skimming through RFC4303, it looks like the first 8 bytes >> of the ESP header are referred to as "header" (with the other being >> referred to as "payload" and "trailer").. so it looks like ESP >> wouldn't really be a "special case". >> >> Should we clarify "how many bytes are included" for ESP, >> nevertheless? > > anything that has a next header field is not the upper layer header. > the middlebox doesn't have access to anything following the ESP > header.
Not sure what you mean. You mean that we shouldn't refer to ESP as an "upper-layer header"? Or something else? >>> I actually believe that the SPI alone would suffice for ESP. >> >> It probably would, but.. since the Seq # is part of the header, and >> it is also transmitted in plain text, I'd personally deal with ESP >> as with the general case "the entire ESP header" (IMO, the fewer >> the "special cases", the better). > > what about ESP with NULL encryption? Please see Ran's response. > what you are trying to archive is "the first fragment should include > as much of the header chain as would be available if the packet was > reassembled", right? perhaps phrase it along those lines. I would specify everything "from the sender side", since that where the decision is to be made (e.g., "must include the entire IPv6 header chain available prior to any possible fragmentation"). FWIW, if ESP is used, the encrypted bytes are the payload (not the header), and hence we're fine. If tunneling is being employed (whether with IPsec or with something else), anything inside the tunnel is, strictly speaking, a different layer -- so including everything up till the ESP header would be okay. Thougths? Thanks! Best regards, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
