Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visibility
Tero Kivinen <kivinen@iki.fi> Thu, 17 December 2009 12:04 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 020EC3A68C4; Thu, 17 Dec 2009 04:04:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.573
X-Spam-Level:
X-Spam-Status: No, score=-2.573 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HIbzXstXHdo6; Thu, 17 Dec 2009 04:04:12 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id BE3623A69D6; Thu, 17 Dec 2009 04:04:11 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id nBHC3q8X028522 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 Dec 2009 14:03:52 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id nBHC3pWK004311; Thu, 17 Dec 2009 14:03:51 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19242.7719.715250.335841@fireball.kivinen.iki.fi>
Date: Thu, 17 Dec 2009 14:03:51 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Yaron Sheffer <yaronf@checkpoint.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF893F0B9@il-ex01.ad.checkpoint.com>
References: <20091217023458.GA23757@mactavish> <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF893F0B9@il-ex01.ad.checkpoint.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 15 min
X-Total-Time: 14 min
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, Russ Housley <housley@vigilsec.com>, "iesg@ietf.org" <iesg@ietf.org>, Dan McDonald <danmcd@sun.com>
Subject: Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visibility
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2009 12:04:13 -0000
Yaron Sheffer writes: > I agree with you regarding some of the proposals that have been > floating around re: exposing bits and pieces of encrypted data. I am really concerned about some of those late proposals for WESP extensions, and if someone would have mentioned any of those earlier when we were discussing whether WESP should allow encrypted ESP also, I would have been even more against allowing encrypted WESP. > I disagree though that WESP should not be used for encrypted data: > > - It is simpler for implementations and architecturally cleaner for > WESP to support both flavors. It does make more complexity for the middle boxes as they need to cope with both encrypted WESP and ESP-NULL WESP, thus they still cannot use just the WESP protocol number to indicate this packet is clear text. Now they also need to check the bit in the header, and if we add more extensions to WESP, they need to start doing even more processing etc, and quite soon WESP is more complex than what AH is now. > - WESP provides for (secure) extensibility, which unfortunately we > have not had with ESP. Indeed we should be wise about picking such > extensions. ESP is extensible, but it just requires out of band communication to negotiate those extensions. We currently already have ESP extesions like extended sequence numbers (ESN), Explicit Congestion Notification (ECN), Traffic Flow Confidentiality (TFC), and Combined mode algorithms. Those were added after initial ESP was created, and they are negotiated using IKEv2 (or some other method). ESP does not offer extensibility that can be done without out of band communication, and as that out of band communication is normally encrypted (inside IKEv2) that means middle boxes cannot process it. I do not think WESP should be used as generic extensible ESP. That was not what the ipsecme wg was chartered to do. We were chartered to do: - A standards-track mechanism that allows an intermediary device, such as a firewall or intrusion detection system, to easily and reliably determine whether an ESP packet is encrypted with the NULL cipher; and if it is, determine the location of the actual payload data inside the packet. The starting points for this work item are draft-grewal-ipsec-traffic-visibility and draft-hoffman- esp-null-protocol. -- kivinen@iki.fi
- [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visib… Russ Housley
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Jack Kohn
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Jack Kohn
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… gabriel montenegro
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Dan McDonald
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Yaron Sheffer
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Tero Kivinen
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Grewal, Ken
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Grewal, Ken
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Jari Arkko
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Tero Kivinen
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Russ Housley
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Jack Kohn
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Tero Kivinen
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Yaron Sheffer
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Brian Swander
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Bhatia, Manav (Manav)
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Bhatia, Manav (Manav)
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Jack Kohn
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Stephen Kent
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Jack Kohn
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Bhatia, Manav (Manav)
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Tero Kivinen
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Russ Housley
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Stephen Kent
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… gabriel montenegro
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Russ Housley
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Bhatia, Manav (Manav)
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Paul Hoffman
- Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-v… Stephen Kent