IETF Logo Mail Archive

Re: [IPsec] Ensuring future extensibility for WESP

Yaron Sheffer <yaronf@checkpoint.com> Sat, 28 November 2009 16:43 UTC

Return-Path: <yaronf@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 606B93A679C for <ipsec@core3.amsl.com>; Sat, 28 Nov 2009 08:43:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.232
X-Spam-Level:
X-Spam-Status: No, score=-3.232 tagged_above=-999 required=5 tests=[AWL=-0.233, BAYES_00=-2.599, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZk2YIoKEJt9 for <ipsec@core3.amsl.com>; Sat, 28 Nov 2009 08:43:16 -0800 (PST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by core3.amsl.com (Postfix) with ESMTP id BBC673A63C9 for <ipsec@ietf.org>; Sat, 28 Nov 2009 08:43:15 -0800 (PST)
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id nASGh3Go024830; Sat, 28 Nov 2009 18:43:03 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Sat, 28 Nov 2009 18:43:09 +0200
From: Yaron Sheffer <yaronf@checkpoint.com>
To: Min Huang <huangmin@huaweisymantec.com>
Date: Sat, 28 Nov 2009 18:43:06 +0200
Thread-Topic: [IPsec] Ensuring future extensibility for WESP
Thread-Index: AcpwERxLgpIkjGkuTrSRqgDiJxEEPwAOIPjw
Message-ID: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88E0364@il-ex01.ad.checkpoint.com>
References: <000401ca7011$1cafaaf0$619a1b0a@china.huawei.com>
In-Reply-To: <000401ca7011$1cafaaf0$619a1b0a@china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] Ensuring future extensibility for WESP
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Nov 2009 16:43:17 -0000

Hi Min,

Thanks for your (correct) comment.

	Yaron

> -----Original Message-----
> From: Min Huang [mailto:huangmin@huaweisymantec.com]
> Sent: Saturday, November 28, 2009 11:57
> To: Yaron Sheffer
> Cc: ipsec@ietf.org
> Subject: Re: [IPsec] Ensuring future extensibility for WESP
> 
> 
> I like this as well.
> This is the minimal change to add extensilibity to WESP.
> 
> Howerver, there is a small problem here.
> As Yaron suggested:
> >2. If P=1 (Padding Present flag), the first octet of the Padding field
> will
> > hold the padding's length. [Hardware implementations can check that it
> is
> 4
> > for IPv6, otherwise move the packet to the slow path]. All other Padding
> > octets are sent as zero, and ignored by the receiver.
> 
> According to draft-ietf-ipsecme-traffic-visibility-10,Section 2, Page 6
>    HdrLen, 8 bits: Offset from the beginning of the WESP header to
>    the beginning of the Rest of Payload Data (i.e., past the IV, if
>    present) within the encapsulated ESP header, in octets. HdrLen
>    MUST be set to zero when using ESP with encryption. When using
>    integrity-only ESP, the following HdrLen values are invalid: any
>    value less than 12; any value that is not a multiple of 4; any
>    value that is not a multiple of 8 when using IPv6. The receiver
>    MUST ensure that this field matches with the header offset
>    computed from using the negotiated SA and MUST drop the packet
>    in case it does not match.
> 
> It might be conflicted according to these two definitions.
> The Padding field is 256 octets at most with the first octet holding the
> padding's
> length.The Hdrlen is also 8 bits and the whole WESP header is 256 octets
> at
> most.
> But the header fielder with 4 octets more than the Padding field.
> So the padding field SHOULD be any length<252.
> 
> Thanks,
> Min Huang
> 
> 
> Sat, 21 Nov 2009 05:54:33 +0530, Jack Kohn <kohn.jack at gmail.com> wrote:
> >I support this as well.
> >
> >Jack
> >
> >On Fri, Nov 20, 2009 at 10:34 PM, Grewal, Ken <ken.grewal at intel.com>
> wrote:
> >> I support this change to ensure future compatibility with the base
> draft.
> >>
> >> As Yaron indicates, the extension header size is as per the current
> draft
> >> and we are just adding some semantics to the pad field.
> >>
> >>
> >>
> >> There is also minimal textual change in the document.
> >>
> >>
> >>
> >> Thanks,
> >>
> >> - Ken
> >>
> >>
> >>
> >> From: ipsec-bounces at ietf.org [mailto:ipsec-bounces at ietf.org] On
> Behalf Of
> >> Yaron Sheffer
> >> Sent: Tuesday, November 17, 2009 11:30 PM
> >> To: IPsecme WG
> >> Subject: [IPsec] Ensuring future extensibility for WESP
> >>
> >>
> >>
> >> Hi,
> >>
> >>
> >>
> >> The recent draft on extending WESP which was presented in Hiroshima,
> >> explains why the current WESP is *not* extensible, and we would need a
> new
> >> version number if we are to add any extensions in the future.
> >>
> >>
> >>
> >> It is up to the WG to decide whether or not we want to adopt the draft,
> >> given that many people were skeptical about the specific extensions
> >> proposed. But regardless of that, it would be a mistake to publish WESP
> >> today with no facility for extensibility. After consulting with Pasi
> (the
> >> draft is at a very late stage, having been through IESG review), I
> would
> >> like to make a simple proposal to add this extensibility, with (almost)
> no
> >> change to the current draft. This will leave us with future options, at
> >> virtually no cost. I am basically just changing the semantics of the
> Padding
> >> field. Specifically:
> >>
> >>
> >>
> >> 1. Rename IPv6Padding to "Padding (Reserved for Future Use)", and allow
> it
> >> to be any length <256, subject to the IPv4 and IPv6 alignment
> constraints.
> >>
> >> 2. If P=1 (Padding Present flag), the first octet of the Padding field
> will
> >> hold the padding's length. [Hardware implementations can check that it
> is
> 4
> >> for IPv6, otherwise move the packet to the slow path]. All other
> Padding
> >> octets are sent as zero, and ignored by the receiver.
> >>
> >>
> >>
> >> Note that there are barely any changes on the wire, as long as we don't
> have
> >> extensions. In particular the length remains unchanged.
> >>
> >>
> >>
> >> Thanks,
> >>
> > >            Yaron
> 
> 
> 
> Scanned by Check Point Total Security Gateway.

v2.23.0 | Report a Bug | By Email