Re: [IPsec] Ensuring future extensibility for WESP
Yaron Sheffer <yaronf@checkpoint.com> Sat, 28 November 2009 16:43 UTC
Return-Path: <yaronf@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 606B93A679C for <ipsec@core3.amsl.com>; Sat, 28 Nov 2009 08:43:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.232
X-Spam-Level:
X-Spam-Status: No, score=-3.232 tagged_above=-999 required=5 tests=[AWL=-0.233, BAYES_00=-2.599, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZk2YIoKEJt9 for <ipsec@core3.amsl.com>; Sat, 28 Nov 2009 08:43:16 -0800 (PST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by core3.amsl.com (Postfix) with ESMTP id BBC673A63C9 for <ipsec@ietf.org>; Sat, 28 Nov 2009 08:43:15 -0800 (PST)
Received: from il-ex01.ad.checkpoint.com (localhost [127.0.0.1]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id nASGh3Go024830; Sat, 28 Nov 2009 18:43:03 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Sat, 28 Nov 2009 18:43:09 +0200
From: Yaron Sheffer <yaronf@checkpoint.com>
To: Min Huang <huangmin@huaweisymantec.com>
Date: Sat, 28 Nov 2009 18:43:06 +0200
Thread-Topic: [IPsec] Ensuring future extensibility for WESP
Thread-Index: AcpwERxLgpIkjGkuTrSRqgDiJxEEPwAOIPjw
Message-ID: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BDF88E0364@il-ex01.ad.checkpoint.com>
References: <000401ca7011$1cafaaf0$619a1b0a@china.huawei.com>
In-Reply-To: <000401ca7011$1cafaaf0$619a1b0a@china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] Ensuring future extensibility for WESP
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Nov 2009 16:43:17 -0000
Hi Min, Thanks for your (correct) comment. Yaron > -----Original Message----- > From: Min Huang [mailto:huangmin@huaweisymantec.com] > Sent: Saturday, November 28, 2009 11:57 > To: Yaron Sheffer > Cc: ipsec@ietf.org > Subject: Re: [IPsec] Ensuring future extensibility for WESP > > > I like this as well. > This is the minimal change to add extensilibity to WESP. > > Howerver, there is a small problem here. > As Yaron suggested: > >2. If P=1 (Padding Present flag), the first octet of the Padding field > will > > hold the padding's length. [Hardware implementations can check that it > is > 4 > > for IPv6, otherwise move the packet to the slow path]. All other Padding > > octets are sent as zero, and ignored by the receiver. > > According to draft-ietf-ipsecme-traffic-visibility-10,Section 2, Page 6 > HdrLen, 8 bits: Offset from the beginning of the WESP header to > the beginning of the Rest of Payload Data (i.e., past the IV, if > present) within the encapsulated ESP header, in octets. HdrLen > MUST be set to zero when using ESP with encryption. When using > integrity-only ESP, the following HdrLen values are invalid: any > value less than 12; any value that is not a multiple of 4; any > value that is not a multiple of 8 when using IPv6. The receiver > MUST ensure that this field matches with the header offset > computed from using the negotiated SA and MUST drop the packet > in case it does not match. > > It might be conflicted according to these two definitions. > The Padding field is 256 octets at most with the first octet holding the > padding's > length.The Hdrlen is also 8 bits and the whole WESP header is 256 octets > at > most. > But the header fielder with 4 octets more than the Padding field. > So the padding field SHOULD be any length<252. > > Thanks, > Min Huang > > > Sat, 21 Nov 2009 05:54:33 +0530, Jack Kohn <kohn.jack at gmail.com> wrote: > >I support this as well. > > > >Jack > > > >On Fri, Nov 20, 2009 at 10:34 PM, Grewal, Ken <ken.grewal at intel.com> > wrote: > >> I support this change to ensure future compatibility with the base > draft. > >> > >> As Yaron indicates, the extension header size is as per the current > draft > >> and we are just adding some semantics to the pad field. > >> > >> > >> > >> There is also minimal textual change in the document. > >> > >> > >> > >> Thanks, > >> > >> - Ken > >> > >> > >> > >> From: ipsec-bounces at ietf.org [mailto:ipsec-bounces at ietf.org] On > Behalf Of > >> Yaron Sheffer > >> Sent: Tuesday, November 17, 2009 11:30 PM > >> To: IPsecme WG > >> Subject: [IPsec] Ensuring future extensibility for WESP > >> > >> > >> > >> Hi, > >> > >> > >> > >> The recent draft on extending WESP which was presented in Hiroshima, > >> explains why the current WESP is *not* extensible, and we would need a > new > >> version number if we are to add any extensions in the future. > >> > >> > >> > >> It is up to the WG to decide whether or not we want to adopt the draft, > >> given that many people were skeptical about the specific extensions > >> proposed. But regardless of that, it would be a mistake to publish WESP > >> today with no facility for extensibility. After consulting with Pasi > (the > >> draft is at a very late stage, having been through IESG review), I > would > >> like to make a simple proposal to add this extensibility, with (almost) > no > >> change to the current draft. This will leave us with future options, at > >> virtually no cost. I am basically just changing the semantics of the > Padding > >> field. Specifically: > >> > >> > >> > >> 1. Rename IPv6Padding to "Padding (Reserved for Future Use)", and allow > it > >> to be any length <256, subject to the IPv4 and IPv6 alignment > constraints. > >> > >> 2. If P=1 (Padding Present flag), the first octet of the Padding field > will > >> hold the padding's length. [Hardware implementations can check that it > is > 4 > >> for IPv6, otherwise move the packet to the slow path]. All other > Padding > >> octets are sent as zero, and ignored by the receiver. > >> > >> > >> > >> Note that there are barely any changes on the wire, as long as we don't > have > >> extensions. In particular the length remains unchanged. > >> > >> > >> > >> Thanks, > >> > > > Yaron > > > > Scanned by Check Point Total Security Gateway.
- [IPsec] Ensuring future extensibility for WESP Yaron Sheffer
- Re: [IPsec] Ensuring future extensibility for WESP Bhatia, Manav (Manav)
- Re: [IPsec] Ensuring future extensibility for WESP Grewal, Ken
- Re: [IPsec] Ensuring future extensibility for WESP Jack Kohn
- Re: [IPsec] Ensuring future extensibility for WESP Min Huang
- Re: [IPsec] Ensuring future extensibility for WESP Yaron Sheffer