Re: [IPsec] WESP - Roadmap Ahead

"Bhatia, Manav (Manav)" <> Fri, 13 November 2009 04:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A071D3A6A38 for <>; Thu, 12 Nov 2009 20:42:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.443
X-Spam-Status: No, score=-2.443 tagged_above=-999 required=5 tests=[AWL=0.156, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pXe2xhhbhfBW for <>; Thu, 12 Nov 2009 20:42:34 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id B76333A676A for <>; Thu, 12 Nov 2009 20:42:34 -0800 (PST)
Received: from ( []) by (8.13.8/IER-o) with ESMTP id nAD4gtXI005475; Thu, 12 Nov 2009 22:42:56 -0600 (CST)
Received: from ( []) by (8.13.8/emsr) with ESMTP id nAD4grC0013133; Thu, 12 Nov 2009 22:42:54 -0600 (CST)
Received: from ( []) by (8.13.7/8.13.7/Alcanet1.0) with ESMTP id nAD4jjqD014942; Fri, 13 Nov 2009 12:45:46 +0800
Received: from ([]) by ([]) with mapi; Fri, 13 Nov 2009 10:12:50 +0530
From: "Bhatia, Manav (Manav)" <>
To: Stephen Kent <>
Date: Fri, 13 Nov 2009 10:12:47 +0530
Thread-Topic: [IPsec] WESP - Roadmap Ahead
Thread-Index: AcpkByQNmvb9tFQzS8OQWAWEttLuSAADUvvg
Message-ID: <>
References: <> <p06240800c720d4538dd2@> <p0624080ac7212e67c860@> <> <p0624080ec7213743dc05@> <> <> <> <p06240805c72267851254@[]>
In-Reply-To: <p06240805c72267851254@[]>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on
X-Scanned-By: MIMEDefang 2.64 on
Cc: "" <>, "" <>, Kaeo <>, Daniel Migault <>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 13 Nov 2009 04:42:35 -0000

> >
> >So what fields does AH protect:
> >
> >Version, Payload length, Next Header, Source IP and dest IP
> you forgot IPv4 and IPv6  options that have predictable values at the 
> destination

Lets start with the IPv6 Type 0 Route Header (aka "Source Routing" in v4 parlance), which is a mutable but a predictable extension header. It has been discovered and is widely known that these functionalities can be exploited in order to perform remote network discovery, can be used to bypass firewalls and can be used for DoS attacks. RFC 5095 has more details on this. This has been deprecated and nobody is really using this.

Hop-by-Hop Options and Destination Extension Headers

These options contain a bit that indicates whether the option might change (unpredictably) during transit.  For any option for which contents may change en-route, the entire "Option Data" field must be treated as zero-valued octets when computing or verifying the ICV.  The Option Type and Opt Data Len are included in the ICV calculation. All options for which the bit indicates immutability are included in the ICV calculation.  

If we were to use ESP-NULL instead then there is no way to validate whether the Option Type and Opt Data Len is valid or not till the processing is done at the receiving end.

So, what kind of attack can be possibly done by changing these values? What is the real risk involved here?

Fragmentation Header

Fragmentation occurs after AH processing and the reassembly, before AH processing on the other end. So, there is really no gain there too.

Cheers, Manav