[IPsec] Can selected IPv6 Headers be part of Authenticated Data with ESP-GCM?
Robert Moskowitz <rgm-sec@htt-consult.com> Mon, 25 May 2020 14:08 UTC
Return-Path: <rgm-sec@htt-consult.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E279F3A0C1B for <ipsec@ietfa.amsl.com>; Mon, 25 May 2020 07:08:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id frvl_Q0P7Cf9 for <ipsec@ietfa.amsl.com>; Mon, 25 May 2020 07:08:44 -0700 (PDT)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [23.123.122.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF46B3A0C62 for <ipsec@ietf.org>; Mon, 25 May 2020 07:08:44 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id 3FEEF62156 for <ipsec@ietf.org>; Mon, 25 May 2020 10:08:42 -0400 (EDT)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 9ynMtvycO3J9 for <ipsec@ietf.org>; Mon, 25 May 2020 10:08:37 -0400 (EDT)
Received: from lx140e.htt-consult.com (unknown [192.168.160.29]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id 8476E6213A for <ipsec@ietf.org>; Mon, 25 May 2020 10:08:37 -0400 (EDT)
To: ipsec@ietf.org
From: Robert Moskowitz <rgm-sec@htt-consult.com>
Message-ID: <3980213d-88a2-0787-a9b2-3e41cd5d90ca@htt-consult.com>
Date: Mon, 25 May 2020 10:08:17 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/S3bqNylP66OULy3xmseyNDIhgAk>
Subject: [IPsec] Can selected IPv6 Headers be part of Authenticated Data with ESP-GCM?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 May 2020 14:08:47 -0000
I have an interesting use case for a new IPv6 header that MAY be secure within the ESP payload, or MAY be exposed for inroute processing, but MUST be protected (authenticated data). My cursory review is not showing this is currently supported. Is it, our would I need to define a variant of the AES-GCM mode? Thanks
- [IPsec] Can selected IPv6 Headers be part of Auth… Robert Moskowitz
- Re: [IPsec] Can selected IPv6 Headers be part of … Michael Richardson