IETF Logo Mail Archive

Re: [IPsec] I-D Action:draft-ietf-ipsecme-esp-null-heuristics-00.txt

Tero Kivinen <kivinen@iki.fi> Tue, 07 July 2009 19:41 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D1FB28C4DF for <ipsec@core3.amsl.com>; Tue, 7 Jul 2009 12:41:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.444
X-Spam-Level:
X-Spam-Status: No, score=-2.444 tagged_above=-999 required=5 tests=[AWL=0.155, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TiSfx4F0KA3v for <ipsec@core3.amsl.com>; Tue, 7 Jul 2009 12:41:01 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id 7AB3528C2FF for <ipsec@ietf.org>; Tue, 7 Jul 2009 12:41:01 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.13.8) with ESMTP id n67JaliG022652 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 7 Jul 2009 22:36:47 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id n67Jakib000479; Tue, 7 Jul 2009 22:36:46 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19027.41934.936260.472789@fireball.kivinen.iki.fi>
Date: Tue, 07 Jul 2009 22:36:46 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <p06240802c6680d03083c@[10.20.30.158]>
References: <20090416140001.4BD833A6B6E@core3.amsl.com> <p06240802c6680d03083c@[10.20.30.158]>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 6 min
X-Total-Time: 6 min
Cc: ipsec@ietf.org
Subject: Re: [IPsec] I-D Action:draft-ietf-ipsecme-esp-null-heuristics-00.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2009 19:41:02 -0000

Paul Hoffman writes:
> >	Title           : Heuristics for Detecting ESP-NULL packets
> Soooo, that was two months ago, and there has been no discussion.
> Has anyone other than the document authors (and the WESP authors)
> read the document? Does the WG find this to be useful? 
> 
> Tero and Dan: have you found anything that you want to change?

We did receive few comments that might be added to the draft, those
were about the GCM IV (i.e. they might not be random, but might be
counter, which means they might have lots of zeroes in the beginning,
and that might affect the heuristics a bit), and another were about
adding some section about how end-nodes can make small changes to make
the heuristics more efficient (i.e. use more than minimal number of
padding, for first few packets for new SA, and make sure GCM IVs look
random enough, so they cannot be confused for TCP or UDP headers). 

I have not made those changes, as I am not sure if we want to even add
both of them. I was mostly waiting for more comments and then think
again about whether to add those or not.

Ps. I am currently on vacation until IETF, so I am reading my emails
very randomly...
-- 
kivinen@iki.fi

v2.31.3 | Report a Bug | By Email | System Status