Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility

gabriel montenegro <g_e_montenegro@yahoo.com> Tue, 13 October 2009 21:07 UTC

Return-Path: <g_e_montenegro@yahoo.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 170EF3A681A for <ipsec@core3.amsl.com>; Tue, 13 Oct 2009 14:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id snrQ1trCJrzc for <ipsec@core3.amsl.com>; Tue, 13 Oct 2009 14:07:07 -0700 (PDT)
Received: from web82608.mail.mud.yahoo.com (web82608.mail.mud.yahoo.com [68.142.201.125]) by core3.amsl.com (Postfix) with SMTP id 2F41F3A67F8 for <ipsec@ietf.org>; Tue, 13 Oct 2009 14:07:07 -0700 (PDT)
Received: (qmail 54373 invoked by uid 60001); 13 Oct 2009 21:07:04 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=J3wY0hQyUjcADUFpCAS+i8iGUBUi0K3hJmXNGV+bWqSHuAWmH5rMZ0gOpwbiTJU3RfVLU3lPv8Hq6NA+0ykMrmXKKg9vnQ2yYZTGRG6uNUqcT+KnacQphel/cvdJ1BOQeeTIoIngmdSvW2EclhiLMMNWj1CuDApTlD1HwuBuBGI=;
Message-ID: <569256.53993.qm@web82608.mail.mud.yahoo.com>
X-YMail-OSG: gCAphOoVM1k2LgAwarl8D.4H6z8xegFdiOCXbWoO9.r5kTTxToywH1ma1X8wqmrY6g9iE6iGv9KQuIuv5xlZ5idUZvy.8hVUxB4HEMMNAGZIxk5ydbmyq8ihII.c8QmBLwcnffx7QzVc4PEly4wfsMfb8AONzMav9CBJxliLjEhM1shAZQwBbSQZE5tx05JJqj7zhSEviDAiBGvFw50jI80GeYTQSjyXztup7rOsLHxusUkqfLh12LcSAf5FjEmnaOZ6y_1WxzZUYzXG8Ah5a2Xk.mH.a2b.vGhnnqt.jaNZkMpBejdAMpGOI7edih7hy.EwFmzzpVyUBMzNHd_QKn2ITRZPfXXL0WWAsOoiIZqqyoPvCu6vg0PTPpbG7jQtTYNo3vj8Ctn.EXsip0fP3UAljDzeixtElbQ8eykN9mMzDqU-
Received: from [131.107.0.75] by web82608.mail.mud.yahoo.com via HTTP; Tue, 13 Oct 2009 14:07:04 PDT
X-Mailer: YahooMailRC/182.10 YahooMailWebService/0.7.347.3
References: <808FD6E27AD4884E94820BC333B2DB773C06B22D72@NOK-EUMSG-01.mgdnok.nokia.com> <C49B4B6450D9AA48AB99694D2EB0A483325793BA@rrsmsx505.amr.corp.intel.com> <19127.24553.76610.294336@fireball.kivinen.iki.fi> <7F9A6D26EB51614FBF9F81C0DA4CFEC80190AD328491@il-ex01.ad.checkpoint.com>
Date: Tue, 13 Oct 2009 14:07:04 -0700
From: gabriel montenegro <g_e_montenegro@yahoo.com>
To: Yaron Sheffer <yaronf@checkpoint.com>, Tero Kivinen <kivinen@iki.fi>, "Grewal, Ken" <ken.grewal@intel.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC80190AD328491@il-ex01.ad.checkpoint.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "Pasi.Eronen@nokia.com" <Pasi.Eronen@nokia.com>
Subject: Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2009 21:07:08 -0000

Just to make sure this does not fall through the cracks: we've submitted rev 09 last week to address
the AD review comments per discussion on the mailing list and at the virtual interim.



----- Original Message ----
> From: Yaron Sheffer <yaronf@checkpoint.com>
> To: Tero Kivinen <kivinen@iki.fi>; "Grewal, Ken" <ken.grewal@intel.com>
> Cc: "ipsec@ietf.org" <ipsec@ietf.org>; "Pasi.Eronen@nokia.com" <Pasi.Eronen@nokia.com>
> Sent: Mon, September 21, 2009 5:40:19 AM
> Subject: Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility
> 
> Hi Tero,
> 
> Given that the existing ESP header is integrity-protected, I don't see the 
> downside to adding the same protection for the new header. On the other hand, 
> this would eliminate a whole class of vulnerabilities. We still have a few 
> reserved bits in the WESP header, and you don't want to find out years down the 
> road that they cannot be used because they're not protected in transit.
> 
> Thanks,
>     Yaron
> 
> > -----Original Message-----
> > From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of
> > Tero Kivinen
> > Sent: Monday, September 21, 2009 14:14
> > To: Grewal, Ken
> > Cc: ipsec@ietf.org; Pasi.Eronen@nokia.com
> > Subject: Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-
> > visibility
> > 
> > Grewal, Ken writes:
> > > >- A question: did the WG discuss the pros and cons of integrity
> > > >protecting the WESP header? (This does make WESP more complex to
> > > >implement, and currently the WESP header does not contain any data
> > > >that would benefit from integrity protection in any way.)
> > > [Ken] This change was the result of a discussion on threats posed by
> > > 'malware', which could modify the WESP headers to obfuscate the
> > > payload from inspection by intermediate nodes such as IDS/IPS
> > > systems.
> > > The issue (ticket #104) was raised and closed some time back after
> > > lengthy discussions on the topic.
> > > http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/104
> > 
> > As everything in the WESP header is something that can be verified by
> > the recipient node why is the integrity protection needed?
> > 
> > I think it would make implementation WESP much easier if it can be
> > done as post processing step after ESP has been applied, in a similar
> > way UDP encapsulation can be done to the ESP packet.
> > --
> > kivinen@iki.fi
> > _______________________________________________
> > IPsec mailing list
> > IPsec@ietf.org
> > https://www.ietf.org/mailman/listinfo/ipsec
> > 
> > Scanned by Check Point Total Security Gateway.
> 
> Email secured by Check Point
> 
> Email secured by Check Point
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec