Re: [IPsec] WESP - Roadmap Ahead

Tero Kivinen <> Wed, 25 November 2009 14:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1837E28C24A for <>; Wed, 25 Nov 2009 06:00:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.583
X-Spam-Status: No, score=-2.583 tagged_above=-999 required=5 tests=[AWL=0.016, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2OYkMoELX8+S for <>; Wed, 25 Nov 2009 06:00:23 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id E0C5F28C241 for <>; Wed, 25 Nov 2009 06:00:22 -0800 (PST)
Received: from (localhost []) by (8.14.3/8.14.3) with ESMTP id nAPDxxZm015138 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 25 Nov 2009 15:59:59 +0200 (EET)
Received: (from kivinen@localhost) by (8.14.3/8.12.11) id nAPDxwkk015157; Wed, 25 Nov 2009 15:59:58 +0200 (EET)
X-Authentication-Warning: kivinen set sender to using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <>
Date: Wed, 25 Nov 2009 15:59:58 +0200
From: Tero Kivinen <>
To: Daniel Migault <>
In-Reply-To: <>
References: <> <p06240800c720d4538dd2@> <p0624080ac7212e67c860@> <> <p0624080ec7213743dc05@> <> <> <> <>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 6 min
X-Total-Time: 6 min
Cc: "" <>, "Bhatia, Manav \(Manav\)" <>, Stephen Kent <>, Merike Kaeo <>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Nov 2009 14:00:24 -0000

Daniel Migault writes:
> I agree that for an already negotiated SA, the SPD lookup detects IP source
> address spoofing.

Not quite true, as you point out yourself. 

> So in that case ESP detects the address spoofing during
> the SPD check whereas AH would detect it while checking the signature check.
> However SAD lookup is done with the longest match rule, and section 4.1 of
> RFC4301 specifies :
>       "3. Search the SAD for a match on only SPI if the receiver has
>          chosen to maintain a single SPI space for AH and ESP, and on
>          both SPI and protocol, otherwise."
> This seems to enable a ESP or AH datagram with spoofed IP addresses to match
> the SAD and SPD.

Yes, and this is very important to get NAT-T and MOBIKE to work as
there the source address might change (either because NAT box rebooted
or otherwise forgot the mapping, and gave new IP address for the IPsec
connection, or because host moved around using MOBIKE).

> If we consider a middleboxe that changes the IP address,
> then using ESP will not detect the IP address spoof. On the other hand using
> AH the spoofing attack will be detected.


> Thus I would not consider AH as ESP_NULL equivalent, and thus feel AH should
> not be removed. Nevertheless, AH has a major drawback which is NAT. For now
> we can only hope IPv6 will bring an end-to-end connectivity. At least AH
> would take considerable advantage of this statement!

To reiterate for others, the major drawback in AH is that it actually
detects changes in the source / destination IP addresses, thus it
breaks if there is evil attackers (called NATs) in the middle who try
to modify source and/or destination addresses...

> IMO, rather then removing AH I would see if future use of the Internet make
> it "historical" or not. For now it might be too soon to take such a
> decision. Furthermore, AH does not cause "problems" with other protocols,
> since they can chose not to use it.

I agree.