Re: [IPsec] WESP - Roadmap Ahead

Stephen Kent <kent@bbn.com> Fri, 13 November 2009 05:15 UTC

Return-Path: <kent@bbn.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C6AB93A68FC for <ipsec@core3.amsl.com>; Thu, 12 Nov 2009 21:15:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.529
X-Spam-Level:
X-Spam-Status: No, score=-2.529 tagged_above=-999 required=5 tests=[AWL=0.070, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VtzubWd4jWnp for <ipsec@core3.amsl.com>; Thu, 12 Nov 2009 21:15:59 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 001333A691C for <ipsec@ietf.org>; Thu, 12 Nov 2009 21:15:58 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15] helo=[133.93.16.246]) by smtp.bbn.com with esmtp (Exim 4.63) (envelope-from <kent@bbn.com>) id 1N8oWH-0005Eb-CZ; Fri, 13 Nov 2009 00:16:26 -0500
Mime-Version: 1.0
Message-Id: <p06240825c7229aead977@[133.93.16.246]>
In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350AB2C85E59@INBANSXCHMBSA1.in.alcatel-luce nt.com>
References: <dc8fd0140911110805q67759507t6cf75a1e9d81c5aa@mail.gmail.com> <p06240800c720d4538dd2@133.93.112.234> <p0624080ac7212e67c860@133.93.16.246> <8CCEE8E4-9AC4-46FB-93E4-FE61E0135EB7@doubleshotsecurity.com> <p0624080ec7213743dc05@133.93.16.246> <dc8fd0140911112030y46aa24f9hf3715d57446e96c0@mail.gmail.com> <51eafbcb0911112144u6e25b826w4ec8110d1f73e652@mail.gmail.com> <7C362EEF9C7896468B36C9B79200D8350AB2C85E06@INBANSXCHMBSA1.in.alcatel-luce nt.com> <p06240805c72267851254@[133.93.16.246]> <7C362EEF9C7896468B36C9B79200D8350AB2C85E59@INBANSXCHMBSA1.in.alcatel-luce nt.com>
Date: Fri, 13 Nov 2009 00:16:21 -0500
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Nov 2009 05:15:59 -0000

My message pointed out that there was no mention of options,  Your 
reply picked a couple of option examples and argued that they were 
either not used or did not pose a security problem.

The right way to generate a god answer is to construct a table of all 
the options, and provide a rationale for why each one is not covered, 
deprecated, or not secruity relevant.

Also, note that IPSO and CIPSO are examples of options that were 
discussed at the IPSECME meeting this week, where there is a need to 
bind the options to the payload.  I observed that using tunnel mode 
(ESP) addresses this concern, but one could also note that using AH 
would do the same, with lower per-packet bandwidth overhead.

Steve