IETF Logo Mail Archive

Re: [IPsec] Traffic visibility - consensus call

Min Huang <huangmin@huaweisymantec.com> Mon, 11 January 2010 06:38 UTC

Return-Path: <huangmin@huaweisymantec.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C173E3A69B9 for <ipsec@core3.amsl.com>; Sun, 10 Jan 2010 22:38:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hHymZBBqKzxJ for <ipsec@core3.amsl.com>; Sun, 10 Jan 2010 22:38:02 -0800 (PST)
Received: from mta2.huaweisymantec.com (unknown [218.17.155.15]) by core3.amsl.com (Postfix) with ESMTP id A655A3A68AB for <ipsec@ietf.org>; Sun, 10 Jan 2010 22:38:02 -0800 (PST)
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: text/plain; charset="us-ascii"
Received: from hstml01-in.huaweisymantec.com ([172.26.3.42]) by hstga02-in.huaweisymantec.com (Sun Java(tm) System Messaging Server 6.3-8.03 (built Apr 24 2009; 32bit)) with ESMTP id <0KW2003TGL31EK60@hstga02-in.huaweisymantec.com> for ipsec@ietf.org; Mon, 11 Jan 2010 14:37:49 +0800 (CST)
Received: from h00104745 ([10.27.154.97]) by hstml01-in.huaweisymantec.com (Sun Java(tm) System Messaging Server 6.3-8.03 (built Apr 24 2009; 32bit)) with ESMTPA id <0KW2000F2L30QA10@hstml01-in.huaweisymantec.com> for ipsec@ietf.org; Mon, 11 Jan 2010 14:37:48 +0800 (CST)
From: Min Huang <huangmin@huaweisymantec.com>
To: Yaron Sheffer <yaronf@checkpoint.com>
Date: Mon, 11 Jan 2010 14:37:48 +0800
Message-id: <002b01ca9288$97867760$619a1b0a@china.huawei.com>
X-Mailer: Microsoft Office Outlook 11
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
Thread-index: AcqSiJcY0j/cHXB+QFCBKHYFTxwJMw==
Cc: ipsec@ietf.org
Subject: Re: [IPsec] Traffic visibility - consensus call
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jan 2010 06:38:03 -0000

YES  to both.

The WESP header provides a kind of rapid *deterministic* detection method
for ESP_NULL packet. The heuristics method is too complex and it calls for
more computing resource and computing time. I doubt the middle box whether
will support the heuristics method  for ESP_NULL detection. Although
including the WESP header into ESP ICV calculation seems modifying ESP, it
is necessary to check the WESP header integrity for counter certain attacks.
The explicit  WESP integrity calculation is OK for me, too. 

I support WESP for encrypted ESP flow.  WESP has the capacity to provide
more functions by future extensibility than just traffic visibility for
ESP_NULL. Nowadays ESP is used much more widely for encrypted flow than
ESP_NULL flow. It is meaningful for middle detection machines to have the
ability to detecting encrypted traffic.  And then WESP could provide this
kind of traffic visibility for both encrypted flow and unencrypted flow in
future.  

regards,
Min


-----Original Message-----
From: ipsec-bounces@ietf.org [mailto:ipsec-bounces@ietf.org
<javascript:main.compose('new', 't=ipsec-bounces@ietf.org')> ] On Behalf Of
Yaron Sheffer
Sent: Tuesday, January 05, 2010 6:27 AM
To: ipsec@ietf.org
Subject: [IPsec] Traffic visibility - consensus call

Hi,

We have had a few "discusses" during the IESG review of the WESP draft. To
help resolve them, we would like to reopen the following two questions to WG
discussion. Well reasoned answers are certainly appreciated. But plain "yes"
or "no" would also be useful in judging the group's consensus.

- The current draft
(http://tools.ietf.org/html/draft-ietf-ipsecme-traffic-visibility-11)
<http://tools.ietf.org/html/draft-ietf-ipsecme-traffic-visibility-11)> 
defines the ESP trailer's ICV calculation to include the WESP header. This
has been done to counter certain attacks, but it means that WESP is no
longer a simple wrapper around ESP - ESP itself is modified. Do you support
this design decision?

- The current draft allows WESP to be applied to encrypted ESP flows, in
addition to the originally specified ESP-null. This was intended so that
encrypted flows can benefit from the future extensibility offered by WESP.
But arguably, it positions WESP as an alternative to ESP. Do you support
this design decision?

Thanks,
     Yaron
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
<https://www.ietf.org/mailman/listinfo/ipsec>

v2.23.0 | Report a Bug | By Email