Re: [IPsec] WESP - Roadmap Ahead

Stephen Kent <> Wed, 25 November 2009 14:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A074D3A6AC5 for <>; Wed, 25 Nov 2009 06:40:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.523
X-Spam-Status: No, score=-2.523 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Gsz1Wgk3Dl0G for <>; Wed, 25 Nov 2009 06:40:11 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id DF06E3A68D3 for <>; Wed, 25 Nov 2009 06:40:10 -0800 (PST)
Received: from ([] helo=[]) by with esmtp (Exim 4.63) (envelope-from <>) id 1NDJ2J-0007xa-Ar; Wed, 25 Nov 2009 09:40:03 -0500
Mime-Version: 1.0
Message-Id: <p06240809c732f07d5ac6@[]>
In-Reply-To: <>
References: <> <p06240800c720d4538dd2@> <p0624080ac7212e67c860@> <> <p0624080ec7213743dc05@> <> <> <> <>
Date: Wed, 25 Nov 2009 09:40:00 -0500
To: Daniel Migault <>
From: Stephen Kent <>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Cc: "" <>, "Bhatia, Manav \(Manav\)" <>, Merike Kaeo <>
Subject: Re: [IPsec] WESP - Roadmap Ahead
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Nov 2009 14:40:11 -0000

At 12:11 PM +0100 11/25/09, Daniel Migault wrote:
>Hi Manav,
>I agree that for an already negotiated SA, the SPD lookup detects IP 
>source address spoofing. So in that case ESP detects the address 
>spoofing during the SPD check whereas AH would detect it while 
>checking the signature check.
>However SAD lookup is done with the longest match rule, and section 
>4.1 of RFC4301 specifies :
>       "3. Search the SAD for a match on only SPI if the receiver has
>          chosen to maintain a single SPI space for AH and ESP, and on
>          both SPI and protocol, otherwise."
>This seems to enable a ESP or AH datagram with spoofed IP addresses 
>to match the SAD and SPD.

I'm confused at this juncture.  The 4301 inbound processing algorithm 
(section 5.2 in RFC 4310) refers to SAD entries for processing 
IPsec-protected packets; the SPD inbound cache (SPD-I) is used only 
for bypass and discard traffic. So there should be no reference to 
the SPD in the sentence immediately above, right?

Also, you should remind folks that this rule applies only to 
multicast SAs. That's relevant to the OSPFv3 discussion we are 
having, but it seems inconsistent with the comment below of a 
middlebox that changes addresses, i.e., does one really expect to 
encounter a NAT on a link between two routers running OSPF?

I am not criticizing your later comments about AH vs. ESP 
applicability in mobile environments, just trying to keep the various 
arguments straight.