[IPsec] Comments on draft-ietf-ipsecme-esp-null-heuristics-01
Tero Mononen <tmo@iki.fi> Thu, 19 November 2009 08:43 UTC
Return-Path: <tmo@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 362243A6AE7 for <ipsec@core3.amsl.com>; Thu, 19 Nov 2009 00:43:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.259
X-Spam-Level: *
X-Spam-Status: No, score=1.259 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FRT_PROFIT1=3.858]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IrFr-QrsTCMj for <ipsec@core3.amsl.com>; Thu, 19 Nov 2009 00:43:58 -0800 (PST)
Received: from aho.jnai.com (jnai.com [212.16.111.196]) by core3.amsl.com (Postfix) with ESMTP id 602133A6858 for <ipsec@ietf.org>; Thu, 19 Nov 2009 00:43:58 -0800 (PST)
Received: from [10.9.0.226] (dhcp226.jnai.com [10.9.0.226]) by aho.jnai.com (Postfix) with ESMTP id 4BD9B78404 for <ipsec@ietf.org>; Thu, 19 Nov 2009 10:43:49 +0200 (EET)
Message-ID: <4B050533.5030102@iki.fi>
Date: Thu, 19 Nov 2009 10:43:31 +0200
From: Tero Mononen <tmo@iki.fi>
User-Agent: Thunderbird 2.0.0.22 (X11/20090608)
MIME-Version: 1.0
To: ipsec@ietf.org
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 19 Nov 2009 08:03:03 -0800
Subject: [IPsec] Comments on draft-ietf-ipsecme-esp-null-heuristics-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2009 08:47:12 -0000
Tero, Dan and others, I've read your informational draft. Overall comments: The draft contains quite a lot of background information (what you are trying to achieve on technical point of view, what were the alternative solutions considered). Part of this background is also available on WESP draft. Making this draft an information disclosure on "algorithm to determine if IPsec ESP packet stream has been encrypted or not", without too much explanation or hand waving would increase its usability. The background could be find by-reference on the WESP RFC. Please consider adding definitions/glossary entries for the following concepts: flow, flow-cache. I know they are relevant on certain implementations, but not necessarily well defined on that sense, or at least introducing these terms properly before using them. About the abstract: Consider changing abstract in a way that really points out the good on this approach. Something like: -8<--- This document describes an algorithm for distinguishing IPSEC ESP- NULL packets from encrypted ESP packets. The algorithm can be used on intermediate devices, like traffic analyzers, and deep inspection engines, to quickly decide whether given packet flow is interesting or not. Use of this algorithm does not require any changes made on existing RFC4303 compliant IPSEC hosts. -8<--- About the algorithm: Pseudo-code seems sane, and was understandable after reading the specification part. However I did not try to implement it, nor really proof its correctness. P.S. Please ignore the following meaningless whining: About Security Considerations: Raises a question, why is this all needed? What is the use case? Neither this, nor WESP draft can give a simple answer for the question. If encrypted traffic is allowed to pass traffic analyzer/intrusion detector/intrusion prevention/firewall/whatever, the malicious end nodes will use encryption. If encrypted traffic is dropped by intermediate, then there is an end node policy issue. Detection whether an ESP packet payload is encrypted or not should already be fast on deep inspection packet matching hardware. -- Tero Mononen <tmo@iki.remove-me.fi>
- [IPsec] Comments on draft-ietf-ipsecme-esp-null-h… Tero Mononen
- Re: [IPsec] Comments on draft-ietf-ipsecme-esp-nu… Vishwas Manral
- [IPsec] Comments on draft-ietf-ipsecme-esp-null-h… Tero Kivinen