Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-null-heuristics-01
Nicolas Williams <Nicolas.Williams@sun.com> Tue, 13 October 2009 18:53 UTC
Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 44F2328C1E1 for <ipsec@core3.amsl.com>; Tue, 13 Oct 2009 11:53:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.146
X-Spam-Level:
X-Spam-Status: No, score=-1.146 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_MISMATCH_COM=0.553, MANGLED_LIST=2.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R6U-jJkMiLbi for <ipsec@core3.amsl.com>; Tue, 13 Oct 2009 11:53:15 -0700 (PDT)
Received: from brmea-mail-2.sun.com (brmea-mail-2.Sun.COM [192.18.98.43]) by core3.amsl.com (Postfix) with ESMTP id 17C293A6856 for <ipsec@ietf.org>; Tue, 13 Oct 2009 11:53:15 -0700 (PDT)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by brmea-mail-2.sun.com (8.13.6+Sun/8.12.9) with ESMTP id n9DIrE7U004183 for <ipsec@ietf.org>; Tue, 13 Oct 2009 18:53:15 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id n9DIrEES001936 for <ipsec@ietf.org>; Tue, 13 Oct 2009 12:53:14 -0600 (MDT)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id n9DIYPuQ008854; Tue, 13 Oct 2009 13:34:25 -0500 (CDT)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id n9DIYPxd008853; Tue, 13 Oct 2009 13:34:25 -0500 (CDT)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Tue, 13 Oct 2009 13:34:25 -0500
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Yaron Sheffer <yaronf@checkpoint.com>
Message-ID: <20091013183424.GH887@Sun.COM>
References: <7F9A6D26EB51614FBF9F81C0DA4CFEC80190AD328329@il-ex01.ad.checkpoint.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC801BD9338E802@il-ex01.ad.checkpoint.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BD9338E802@il-ex01.ad.checkpoint.com>
User-Agent: Mutt/1.5.7i
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-null-heuristics-01
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2009 18:53:16 -0000
- Section 7, 1st paragraph: MOBIKE is mentioned without a reference. - Section 7, 2nd paragraph: s/avare/aware/ - Section 8.1, next to last sentence: this sentence is grammatically incorrect, I think. How about: If the protocol (also known as the, "next header") of thepacket is one that is not supported by the heuristics, then detecting the IV length is impossible, thus the heuristics cannot finish. - Section 8.2, 2nd paragraph: s/shorted/shortest/ - Section 8.2, 2nd paragraph, 2nd sentence: s/implementation/the implementation/ - Section 8.2, 2nd paragraph, 2nd sentence: s/valid looking/valid-looking/ - Section 8.2, bottom of page 15: s/insure/ensure/ (yes, nowadays your use if 'insure' in this way is quite common) - Section 8.2, next to last paragraph, next to last sentence: I'm not sure what is meant. Can you try to re-write this sentence? How about: By counting how many "unsure" returns obtained via heuristics, and after the receipt of a consistent, but unknown, next-header number in same location (i.e., likely with the same ICV length), the node can conclude that that flow has a high probability of being ESP-NULL (since it's unlikely that so many packets would pass the integrity check at the destination unless they were legitimate). (The key change is the addition of a comma and moving a clause into a parenthetical.) - Section 8.3, 1st paragraph, 2nd sentence: this sentence is grammatically incorrect, and I'm unsure as to what is meant. I think what is meant is that if an intermediate node has seen a stateful ULP flow over an ESP-NULL flow, and later the SA is changed and the new flow looks like ESP-NULL and appears to contain a next protocol header that matches that previously-seentateful ULP flow, then chances are very good that the old ESP-NULL flow is abandoned and replaced by the new one. In such situations the intermediate node can simply change the old ESP-NULL state's lookup key. - Section 8.3.1, 1st paragraph, 1st sentence: s/feed/fed/ - Section 8.3.1, third paragraph: are you suggesting that intermediate nodes drop TCP-looking packets to elicit retransmission? - Section 9, 1st paragraph, 1st sentence, I think you may want to make this change: s/unless that is not/unless that is/ - Section 9, 1st paragraph, 1st sentence: this is an odd sentence construction. How about: Attackers can always bypass ESP-NULL deep packet inspection by using encrypted ESP (or some other encryption or tunneling method) instead, unless the intermediate node's policy requires dropping of packets that it cannot inspect. - Section 9, 1st paragraph, 2nd sentence, rewrite: Ultimately the responsibility for performing deep inspection, or allowing intermediate nodes to perform deep inspection, must rest on the end nodes. - Section 9, 1st paragraph, last sentence: s/but in that/in which/ - Section 10.2, an informative reference to MOBIKE is needed. What about multicast IPsec? Done. Nico --
- [IPsec] WG last call: draft-ietf-ipsecme-esp-null… Yaron Sheffer
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Scott C Moonen
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Tero Kivinen
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Yoav Nir
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Yaron Sheffer
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Nicolas Williams
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Nicolas Williams
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Nicolas Williams
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Paul Hoffman
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Tero Kivinen
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Nicolas Williams
- Re: [IPsec] WG last call: draft-ietf-ipsecme-esp-… Tero Kivinen