Re: Thomas Narten's DISCUSS vote
Steve Bellovin <smb@research.att.com> Tue, 26 May 1998 14:22 UTC
Received: (from majordom@localhost) by portal.ex.tis.com (8.8.2/8.8.2) id KAA15669 for ipsec-outgoing; Tue, 26 May 1998 10:22:46 -0400 (EDT)
Message-Id: <199805261434.KAA05377@postal.research.att.com>
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
cc: ipsec@tis.com
Subject: Re: Thomas Narten's DISCUSS vote
Date: Tue, 26 May 1998 10:34:24 -0400
From: Steve Bellovin <smb@research.att.com>
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
The text is valid; ESP includes integrity protection, although ESP doesn't cover the IP header. In the new IPSEC scheme, it is extremely unlikely that someone will use both ESP and AH. ESP-NULL provides no data confidentiality, but it does provide integrity over the packet data (but not of the IP headers), thus allowing NAT boxes to muck with the IP headers. Whether or not this is a horrible abstraction violation is besides the point; if the goal is to allow NAT boxes to work, while still providing data integrity services for the packet contents, ESP NULL is one way of accomplishing that goal. The objection is valid -- because of the transport checksum, which is protected by ESP-NULL's integrity algorithm, the IP addresses can't be tinkered with in a useful fashion. (Well, I suppose that a NAT box could change the source port number to offset the changes to the addresses -- but I don't really regard that as useful...) ESP-NULL has a lot of advantages -- but enabling NAT isn't one of them. (Well, I suppose that one could argue that defeating NAT is itself a nice feature, but that's out of bounds for this WG...)
- Re: Thomas Narten's DISCUSS vote Gabriel.Montenegro
- Thomas Narten's DISCUSS vote Theodore Y. Ts'o
- Re: Thomas Narten's DISCUSS vote Vipul Gupta
- Re: Thomas Narten's DISCUSS vote Gabriel.Montenegro
- Re: Thomas Narten's DISCUSS vote Vach Kompella
- Re: Thomas Narten's DISCUSS vote Steve Bellovin
- Re: Thomas Narten's DISCUSS vote Hilarie Orman
- Re: Thomas Narten's DISCUSS vote Thomas Narten
- RE: Thomas Narten's DISCUSS vote Stephen Waters
- Re: Thomas Narten's DISCUSS vote Pyda Srisuresh