Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility
<Pasi.Eronen@nokia.com> Wed, 14 October 2009 09:52 UTC
Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 230953A690B for <ipsec@core3.amsl.com>; Wed, 14 Oct 2009 02:52:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.299
X-Spam-Level:
X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_37=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eanLgydNFBzL for <ipsec@core3.amsl.com>; Wed, 14 Oct 2009 02:52:53 -0700 (PDT)
Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id D15543A6857 for <ipsec@ietf.org>; Wed, 14 Oct 2009 02:52:52 -0700 (PDT)
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx06.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id n9E9qncv006722; Wed, 14 Oct 2009 12:52:50 +0300
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 14 Oct 2009 12:52:47 +0300
Received: from vaebh101.NOE.Nokia.com ([10.160.244.22]) by esebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 14 Oct 2009 12:52:47 +0300
Received: from smtp.mgd.nokia.com ([65.54.30.5]) by vaebh101.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Wed, 14 Oct 2009 12:52:42 +0300
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.86]) by nok-am1mhub-01.mgdnok.nokia.com ([65.54.30.5]) with mapi; Wed, 14 Oct 2009 11:52:41 +0200
From: Pasi.Eronen@nokia.com
To: g_e_montenegro@yahoo.com, yaronf@checkpoint.com, kivinen@iki.fi, ken.grewal@intel.com
Date: Wed, 14 Oct 2009 11:52:40 +0200
Thread-Topic: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility
Thread-Index: AcpMSSdhuMAl5VoHTZCd4v1fY8CcZQAarmlQ
Message-ID: <808FD6E27AD4884E94820BC333B2DB773C099FDDE3@NOK-EUMSG-01.mgdnok.nokia.com>
References: <808FD6E27AD4884E94820BC333B2DB773C06B22D72@NOK-EUMSG-01.mgdnok.nokia.com> <C49B4B6450D9AA48AB99694D2EB0A483325793BA@rrsmsx505.amr.corp.intel.com> <19127.24553.76610.294336@fireball.kivinen.iki.fi> <7F9A6D26EB51614FBF9F81C0DA4CFEC80190AD328491@il-ex01.ad.checkpoint.com> <569256.53993.qm@web82608.mail.mud.yahoo.com>
In-Reply-To: <569256.53993.qm@web82608.mail.mud.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 14 Oct 2009 09:52:42.0353 (UTC) FILETIME=[129C2E10:01CA4CB4]
X-Nokia-AV: Clean
Cc: ipsec@ietf.org
Subject: Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic-visibility
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2009 09:52:54 -0000
Thanks -- I've asked the secretariat to start the IETF Last Call! Here are the first IETF Last Call comments (none of them major): - The text about 8-octet alignment probably needs some small clarifications. For IPv6, 8-octet alignment is not optional, so "SHOULD" is not really correct. And there's an exception: if you're doing UDP encapsulation, the 0x00000002 SPI/protocol identifier takes four octets, so the IPv6Padding field isn't included in that case. - The bit numbers in Figure 4 aren't aligned. - [RFC3948] and [RFC5226] should be normative references, not informative. Best regards, Pasi > -----Original Message----- > From: ext gabriel montenegro [mailto:g_e_montenegro@yahoo.com] > Sent: 14 October, 2009 00:07 > To: Yaron Sheffer; Tero Kivinen; Grewal, Ken > Cc: ipsec@ietf.org; Eronen Pasi (Nokia-NRC/Helsinki) > Subject: Re: [IPsec] AD review comments for draft-ietf-ipsecme-traffic- > visibility > > Just to make sure this does not fall through the cracks: we've > submitted rev 09 last week to address > the AD review comments per discussion on the mailing list and at the > virtual interim. > > > > ----- Original Message ---- > > From: Yaron Sheffer <yaronf@checkpoint.com> > > To: Tero Kivinen <kivinen@iki.fi>; "Grewal, Ken" > <ken.grewal@intel.com> > > Cc: "ipsec@ietf.org" <ipsec@ietf.org>; "Pasi.Eronen@nokia.com" > <Pasi.Eronen@nokia.com> > > Sent: Mon, September 21, 2009 5:40:19 AM > > Subject: Re: [IPsec] AD review comments for draft-ietf-ipsecme- > traffic-visibility > > > > Hi Tero, > > > > Given that the existing ESP header is integrity-protected, I don't > see the > > downside to adding the same protection for the new header. On the > other hand, > > this would eliminate a whole class of vulnerabilities. We still have > a few > > reserved bits in the WESP header, and you don't want to find out > years down the > > road that they cannot be used because they're not protected in > transit. > > > > Thanks, > > Yaron > > > > > -----Original Message----- > > > From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org] On > Behalf Of > > > Tero Kivinen > > > Sent: Monday, September 21, 2009 14:14 > > > To: Grewal, Ken > > > Cc: ipsec@ietf.org; Pasi.Eronen@nokia.com > > > Subject: Re: [IPsec] AD review comments for draft-ietf-ipsecme- > traffic- > > > visibility > > > > > > Grewal, Ken writes: > > > > >- A question: did the WG discuss the pros and cons of integrity > > > > >protecting the WESP header? (This does make WESP more complex to > > > > >implement, and currently the WESP header does not contain any > data > > > > >that would benefit from integrity protection in any way.) > > > > [Ken] This change was the result of a discussion on threats posed > by > > > > 'malware', which could modify the WESP headers to obfuscate the > > > > payload from inspection by intermediate nodes such as IDS/IPS > > > > systems. > > > > The issue (ticket #104) was raised and closed some time back > after > > > > lengthy discussions on the topic. > > > > http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/104 > > > > > > As everything in the WESP header is something that can be verified > by > > > the recipient node why is the integrity protection needed? > > > > > > I think it would make implementation WESP much easier if it can be > > > done as post processing step after ESP has been applied, in a > similar > > > way UDP encapsulation can be done to the ESP packet. > > > -- > > > kivinen@iki.fi > > > _______________________________________________ > > > IPsec mailing list > > > IPsec@ietf.org > > > https://www.ietf.org/mailman/listinfo/ipsec > > > > > > Scanned by Check Point Total Security Gateway. > > > > Email secured by Check Point > > > > Email secured by Check Point > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] AD review comments for draft-ietf-ipsecme… Pasi.Eronen
- [IPsec] AD review comments for draft-ietf-ipsecme… Tero Kivinen
- Re: [IPsec] AD review comments for draft-ietf-ips… Grewal, Ken
- Re: [IPsec] AD review comments for draft-ietf-ips… Tero Kivinen
- Re: [IPsec] AD review comments for draft-ietf-ips… Yaron Sheffer
- Re: [IPsec] AD review comments for draft-ietf-ips… gabriel montenegro
- Re: [IPsec] AD review comments for draft-ietf-ips… Pasi.Eronen