Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility
gabriel montenegro <g_e_montenegro@yahoo.com> Tue, 13 October 2009 21:07 UTC
Return-Path: <g_e_montenegro@yahoo.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 170EF3A681A for <ipsec@core3.amsl.com>; Tue, 13 Oct 2009 14:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id snrQ1trCJrzc for <ipsec@core3.amsl.com>; Tue, 13 Oct 2009 14:07:07 -0700 (PDT)
Received: from web82608.mail.mud.yahoo.com (web82608.mail.mud.yahoo.com [68.142.201.125]) by core3.amsl.com (Postfix) with SMTP id 2F41F3A67F8 for <ipsec@ietf.org>; Tue, 13 Oct 2009 14:07:07 -0700 (PDT)
Received: (qmail 54373 invoked by uid 60001); 13 Oct 2009 21:07:04 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=J3wY0hQyUjcADUFpCAS+i8iGUBUi0K3hJmXNGV+bWqSHuAWmH5rMZ0gOpwbiTJU3RfVLU3lPv8Hq6NA+0ykMrmXKKg9vnQ2yYZTGRG6uNUqcT+KnacQphel/cvdJ1BOQeeTIoIngmdSvW2EclhiLMMNWj1CuDApTlD1HwuBuBGI=;
Message-ID: <569256.53993.qm@web82608.mail.mud.yahoo.com>
X-YMail-OSG: gCAphOoVM1k2LgAwarl8D.4H6z8xegFdiOCXbWoO9.r5kTTxToywH1ma1X8wqmrY6g9iE6iGv9KQuIuv5xlZ5idUZvy.8hVUxB4HEMMNAGZIxk5ydbmyq8ihII.c8QmBLwcnffx7QzVc4PEly4wfsMfb8AONzMav9CBJxliLjEhM1shAZQwBbSQZE5tx05JJqj7zhSEviDAiBGvFw50jI80GeYTQSjyXztup7rOsLHxusUkqfLh12LcSAf5FjEmnaOZ6y_1WxzZUYzXG8Ah5a2Xk.mH.a2b.vGhnnqt.jaNZkMpBejdAMpGOI7edih7hy.EwFmzzpVyUBMzNHd_QKn2ITRZPfXXL0WWAsOoiIZqqyoPvCu6vg0PTPpbG7jQtTYNo3vj8Ctn.EXsip0fP3UAljDzeixtElbQ8eykN9mMzDqU-
Received: from [131.107.0.75] by web82608.mail.mud.yahoo.com via HTTP; Tue, 13 Oct 2009 14:07:04 PDT
X-Mailer: YahooMailRC/182.10 YahooMailWebService/0.7.347.3
References: <808FD6E27AD4884E94820BC333B2DB773C06B22D72@NOK-EUMSG-01.mgdnok.nokia.com> <C49B4B6450D9AA48AB99694D2EB0A483325793BA@rrsmsx505.amr.corp.intel.com> <19127.24553.76610.294336@fireball.kivinen.iki.fi> <7F9A6D26EB51614FBF9F81C0DA4CFEC80190AD328491@il-ex01.ad.checkpoint.com>
Date: Tue, 13 Oct 2009 14:07:04 -0700
From: gabriel montenegro <g_e_montenegro@yahoo.com>
To: Yaron Sheffer <yaronf@checkpoint.com>, Tero Kivinen <kivinen@iki.fi>, "Grewal, Ken" <ken.grewal@intel.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC80190AD328491@il-ex01.ad.checkpoint.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "ipsec@ietf.org" <ipsec@ietf.org>, "Pasi.Eronen@nokia.com" <Pasi.Eronen@nokia.com>
Subject: Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2009 21:07:08 -0000
Just to make sure this does not fall through the cracks: we've submitted rev 09 last week to address the AD review comments per discussion on the mailing list and at the virtual interim. ----- Original Message ---- > From: Yaron Sheffer <yaronf@checkpoint.com> > To: Tero Kivinen <kivinen@iki.fi>; "Grewal, Ken" <ken.grewal@intel.com> > Cc: "ipsec@ietf.org" <ipsec@ietf.org>; "Pasi.Eronen@nokia.com" <Pasi.Eronen@nokia.com> > Sent: Mon, September 21, 2009 5:40:19 AM > Subject: Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility > > Hi Tero, > > Given that the existing ESP header is integrity-protected, I don't see the > downside to adding the same protection for the new header. On the other hand, > this would eliminate a whole class of vulnerabilities. We still have a few > reserved bits in the WESP header, and you don't want to find out years down the > road that they cannot be used because they're not protected in transit. > > Thanks, > Yaron > > > -----Original Message----- > > From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On Behalf Of > > Tero Kivinen > > Sent: Monday, September 21, 2009 14:14 > > To: Grewal, Ken > > Cc: ipsec@ietf.org; Pasi.Eronen@nokia.com > > Subject: Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic- > > visibility > > > > Grewal, Ken writes: > > > >- A question: did the WG discuss the pros and cons of integrity > > > >protecting the WESP header? (This does make WESP more complex to > > > >implement, and currently the WESP header does not contain any data > > > >that would benefit from integrity protection in any way.) > > > [Ken] This change was the result of a discussion on threats posed by > > > 'malware', which could modify the WESP headers to obfuscate the > > > payload from inspection by intermediate nodes such as IDS/IPS > > > systems. > > > The issue (ticket #104) was raised and closed some time back after > > > lengthy discussions on the topic. > > > http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/104 > > > > As everything in the WESP header is something that can be verified by > > the recipient node why is the integrity protection needed? > > > > I think it would make implementation WESP much easier if it can be > > done as post processing step after ESP has been applied, in a similar > > way UDP encapsulation can be done to the ESP packet. > > -- > > kivinen@iki.fi > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > > > Scanned by Check Point Total Security Gateway. > > Email secured by Check Point > > Email secured by Check Point > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] AD review comments for draft-ietf-ipsecme… Pasi.Eronen
- [IPsec] AD review comments for draft-ietf-ipsecme… Tero Kivinen
- Re: [IPsec] AD review comments for draft-ietf-ips… Grewal, Ken
- Re: [IPsec] AD review comments for draft-ietf-ips… Tero Kivinen
- Re: [IPsec] AD review comments for draft-ietf-ips… Yaron Sheffer
- Re: [IPsec] AD review comments for draft-ietf-ips… gabriel montenegro
- Re: [IPsec] AD review comments for draft-ietf-ips… Pasi.Eronen