IETF Logo Mail Archive

Re: [IPsec] diet-esp - How do you know?

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Tue, 24 May 2022 20:56 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 774B2C2740DE for <ipsec@ietfa.amsl.com>; Tue, 24 May 2022 13:56:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=On+3bPeL; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Qaa8cm7z
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EYw9z-VFUzMA for <ipsec@ietfa.amsl.com>; Tue, 24 May 2022 13:56:20 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F54EC2740DC for <ipsec@ietf.org>; Tue, 24 May 2022 13:56:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=17084; q=dns/txt; s=iport; t=1653425780; x=1654635380; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=eNl/fvdPUCmBA7DN61ogue4vCWk+btdPRhRywn07vHA=; b=On+3bPeLAY9e5VvqBXSDx8hskjvwO9TZFf6sF3fhqMlPNiiDQklCDAzP oYiIhHWgAGRnbYzlnNPQr2/5DZLDLeGHQLWhB7UKusMJX9tRvqcrFmFp+ /HvQKOtgLiNOOWRVzMroEMQWO/rR3Rio5Fqr9fM/D59oHYC5i83L7gnx3 E=;
X-IPAS-Result: A0AQAACvRY1imIoNJK1aHQEBAQEJARIBBQUBgXsIAQsBgSAxUnwCWDlDhE6DTAOEUl+FC4MCA5YlhROBLIElA1QLAQEBDQEBLAEMCQQBAYUCAhaFKwIlNAkOAQIEAQEBAQMCAwEBAQEBAQMBAQUBAQECAQcEFAEBAQEBAQEBCRQHBgwFDhAnhWgNhkIBAQEBAwEBEBEKEwEBLAsBDwIBCA4DBAEBKAMCAgIlCxQJCAIEAQ0FCBqCWwGCDFcDMQEOn20BgT4Cih96gTGBAYIIAQEGBASBOwIQQYJ/GII4AwaBPAGDFIQoAQGHJCccgUlEgViCZz6CYgEBAgGBXysJgyA3gi6WDwc6A041EoEhcQEIBgYHCgUyBgIMGBQEAhMRUx0CEwwKHA5UGQwPAxIDEQEHAgsSCBUsCAMCAwgDAgMjCwIDGAkHCgMdCAocEhAUAgQTHwsIAxofLQkCBA4DQwgLCgMRBAMTGAsWCBAEBgMJLw0oCwMFDw8BBgMGAgUFAQMgAxQDBScHAyEHCyYNDQQcBx0DAwUmAwICGwcCAgMCBhcGAgJxCigNCAQIBBweJRMFAgcxBQQvAh4EBQYRCQIWAgYEBQIEBBYCAhIIAggnGwcWNhkBBV0GCwkiHBwBDwsGBQYWAyR4BU8LBQQfAZJ8gxgMgQ0RYyZAUQIgO4EOVJYliX6fW4EwCoNOixuVDhWoWocfj0ggjQyUXYR/AgQCBAUCDgEBBoFhghVwFTuCaFEZD44gCRAJg1CFFIVKdQIBOAIGAQoBAQMJkG8BAQ
IronPort-PHdr: A9a23:EFw45h0+pJSfGzTBsmDPr1BlVkEcU/3cMg0U788hjLRDOuSm8o/5N UPSrfNqkBfSXIrd5v4F7oies63pVWEap5rUtncEfc9AUhYfgpAQmAotSMeOFUz8KqvsaCo3V MRPXVNo5Te1K09QTc3/fFbV5Ha16G16Jw==
IronPort-Data: A9a23:fnVYS6tKaNI9BEaPbSHtEYMhHefnVIteMUV32f8akzHdYApBsoF/q tZmKWCAaazfZGXyfo0la97l9RgOucTRmtJgS1Y9+C1jHyoSgMeUXt7xwmUckM+xwmwvaGo9s q3yv/GZdJhcokf0/0vrav67xZVF/fngqoDUUIYoAQgsA149IMsdoUg7wbRh39Q02YPR7z6l4 LseneWOYDdJ5BYsWo4kw/rrRMRH5amaVJsw5zTSVNgT1LPsvyB94KE3ecldG0DFrrx8RYZWc QpsIIaRpQs19z91Yj+sfy2SnkciGtY+NiDW4pZatjTLbhVq/kQPPqgH2PU0RGV0uR6wufZNy PoUrc2yWSYtBaqcsbFIO/VYO3kW0axu8bvDJz20ttaeihCAeHr3yPIoB0YzVWEa0r8oWicVq 7pBc3ZUNUDra+GemNpXTsF3iMA+LNPmJqsUu2prynfSCvNOrZXrEv2WvIYIgGdh7ixINfjhO fsFUAA+V0rJOjgRZUoTN5A5gvj90xETdBUB+A7K+sLb+VP7zRRq3bPFMdfJdJqNX8o9tl6Ru 2aA4GPkHhwAL4nDkTOE7H+qwO7ItS/+UZgZUry16vAsh0ecrkQJBxhTTlawifmllgu1XNREN kgIvCEpqMAa8UOvUp/8UgG2iHGBtx8YHdFXFoUHBBqlw67Q5UOSAXIJC2MHY909v8hwTjsvv rOUoz/3LRFNk4++cFS7yre79CvjOzg0KVQFNQZRGGPp/OLfiI00ixvOSPNqH6i0ksD5FFnML 9ai8XNWa1I70JJj6kmrwbzUq2n3/8GWEGbZ8i2SDzz7sVIgDGKwT9bwgWU3+8qsO2pworOpl XwAls72AAsmUszVzXflrAng4NiUCxutOTnYhxtkGIMssmnr8H+4docW6zZ7TKuIDirmUWK3C KMwkVoMjHO2AJdMRfQtC25WI59wpZUM7fy/CpjpgiNmO/CdjjOv8iB0flK31GvwikUqmqxXE c7FLJ3wVClCUvw3l2LeqwIhPVkDm35WKYT7GM6T8vhb+eH2iIO9EO1cawLeMojVEovd+1qKm zqgCyd640wPDLKhCsUm2YUSNlsNZWMqHoz7rtc/SwJwClQOJY3VMNeImelJU9U8x8x9z76Ul lngCh4w4Aeu3hXvdFTVAlg9M+mHdcgk8hoG0dkEYAzAN44LO9j/tc/ytvIfINEayQCU5aUsF aZZKp7YWqsnp/au0211UKQRZbdKLHyD7T9i9QL/CNTjV/aMnzD0x+I=
IronPort-HdrOrdr: A9a23:ccWX+KCTXUpQJSTlHegYsceALOsnbusQ8zAXPh9KJyC9I/b2qy nxppgmPEfP+UossHFJo6HlBEDyewKiyXcV2/hcAV7GZmjbUQSTXflfBOfZsl/d8mjFh5NgPM RbAudD4b/LfCNHZK/BiWHSebtBsbq6GeKT9J3jJhxWPGZXgtRbnn5E43GgYytLrWd9dP8EPa vZwvACiyureHwRYMj+LGICRfL/q9rCk4+jSQIaBjY8gTP+ww+A2frfKVy1zx0eWzRAzfMJ6m 7eiTH04a2lrrWS1gLc7WnO9J5b8eGRi+erRfb8yvT9GA+cyDpAV74RHoFqewpF5N1H3Wxa0+ UkZS1QePibpUmhOF1d6iGdpTUImAxemkMKj2Xo2EcKZafCNWkH4w0rv/MATvKR0TtRgPhslK 1MxG6XrJxREFfJmzn8/cHBU1VwmlOzumdKq59Zs5Vza/pWVFZql/1WwKqVKuZ1IAvqrIQ8VO V+BsDV4/hbNVuccnDCp2FqhNihRG46EBuKSlUL/pX96UkaoFlpi08DgMAPlHYJ85wwD5FC+u TfK6xt0LVDVNUfY65xDPoIBcG3FmvOSxTRN3/6GyWsKIgXf3bW75Ln6rQ84++nPJQO0ZspgZ zEFEhVsGYjEnief/FmHKc7hSwlbF/NLwgFkPsulKSRkoeMMYbWDQ==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.91,250,1647302400"; d="scan'208,217";a="904118489"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 24 May 2022 20:56:18 +0000
Received: from mail.cisco.com (xfe-rcd-004.cisco.com [173.37.227.252]) by alln-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 24OKuIbT008155 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Tue, 24 May 2022 20:56:18 GMT
Received: from xfe-rcd-005.cisco.com (173.37.227.253) by xfe-rcd-004.cisco.com (173.37.227.252) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Tue, 24 May 2022 15:56:18 -0500
Received: from NAM04-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xfe-rcd-005.cisco.com (173.37.227.253) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14 via Frontend Transport; Tue, 24 May 2022 15:56:18 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CZkNixEQ3yN720ELZvtpfoj49XHK1BZ+Z5BIuJKBn4TU3LXiRhqSvLUSG9wAkQdqXmLMv2ZwBITRs2/NNWeuSsVvGCxwyU/PjCeLUaGsG1PkVt/yBJtwwJsWffZNIFnHjeL2bYD/H7ANIqSJP5fPUuPVcCDNzyHl43LKIlCZoTmQ7tJC+iBn63DTWGAqkL6isEMfwQM95+HSIbCNTvAdnLvK01fatghbdmupw04IZ5xyBQC+GuFMv5/vOJasVPdQngGdjUBjIVqaHh6u6XLxb8f1L2UAQtPRJCCULjIBmnzlfiwLH/3cFwvmxAGBlynIyh6lf09LNaGO1Cc3Z5bTVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eNl/fvdPUCmBA7DN61ogue4vCWk+btdPRhRywn07vHA=; b=npvQNSb3fXalqVOcG/1MLhlhhp6g+qeN1dL2vwhrGf6e9WPXwSdSu4odoLGKwA/8dHngsJm7J1xuPmb7nXdIOMVdhqihmZ14aU09/EcfoXZ/A0EIco708PbX4lZGD8MKcOt013Qdgw5NL123dAs79kzNJHpXGuoGFiIoOhZBERBe4AQlZmdvjfHEmku/9pvsM36F8i3WpD16HQmIMQXL2Bjjdg2UcaRAOqCdUF7C3NCm1NGjqlOK4JCm2JUIJ1ipQCZWbV5g/liGS84c7Ha5bDMqxwMkMIP8UgYLhg0p3eiRHHKwHgLrJY0RjxZG+xlETBs19RkZEIVT7zcyXqlBlg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eNl/fvdPUCmBA7DN61ogue4vCWk+btdPRhRywn07vHA=; b=Qaa8cm7zifXgFNTa/lDuLJObUJ2ebEr9Xy61kvJ8xh8nLIOvwmrlg4lFD9jo0kg/GartznZt0ZU2AjNkOa3mKxmPPlxAMdTleQGZWNtKUux6Guk4+rlHqmPCiGA3HMg17/RR5sNyQ4OXmhEAD31XXG9ofG/gYByV9E/CLRNehi0=
Received: from CH0PR11MB5444.namprd11.prod.outlook.com (2603:10b6:610:d3::13) by MWHPR1101MB2144.namprd11.prod.outlook.com (2603:10b6:301:51::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5273.15; Tue, 24 May 2022 20:56:15 +0000
Received: from CH0PR11MB5444.namprd11.prod.outlook.com ([fe80::3998:5d1e:d807:91a3]) by CH0PR11MB5444.namprd11.prod.outlook.com ([fe80::3998:5d1e:d807:91a3%9]) with mapi id 15.20.5293.013; Tue, 24 May 2022 20:56:15 +0000
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Daniel Migault <mglt.ietf@gmail.com>, Robert Moskowitz <rgm-sec@htt-consult.com>
CC: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>, IPsecME WG <ipsec@ietf.org>
Thread-Topic: [IPsec] diet-esp - How do you know?
Thread-Index: AQHYbkNfaOb3j8nuIUiGuLMrFfhyx60uJScAgABWdgCAAAIgAIAABLYAgAAArXA=
Date: Tue, 24 May 2022 20:56:14 +0000
Message-ID: <CH0PR11MB544485C64BF43499C0DBBC6FC1D79@CH0PR11MB5444.namprd11.prod.outlook.com>
References: <245277bb-6d70-dbcd-b99e-badc435b9c4d@htt-consult.com> <CAGL5yWa=hjCZD912YJPWM-x_=ChTo=yULk1P5FRfkfB9Db9+Gg@mail.gmail.com> <CADZyTknARDjj=SZmstnBqxo5hJp-NzH09a6cH5Dxj3Zg7VfyAw@mail.gmail.com> <f55061a1-b1af-8ce5-7ecc-8d7ccef0ee03@htt-consult.com> <CADZyTknQSiCrBvdsnjQU8OcTCRhCOBeNW0CC10xhK6cHnD+76g@mail.gmail.com>
In-Reply-To: <CADZyTknQSiCrBvdsnjQU8OcTCRhCOBeNW0CC10xhK6cHnD+76g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8a85ccba-7d15-4bb8-2ab0-08da3dc7d79a
x-ms-traffictypediagnostic: MWHPR1101MB2144:EE_
x-microsoft-antispam-prvs: <MWHPR1101MB2144BD3B930B23443A1DC182C1D79@MWHPR1101MB2144.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2/Axr6vc8cXD/Ar5Jxq2nMgQjx/VI2R9kZ28liLFNppr5MTUd83kdwHu67gEKEMfzgLeSSat8gw5eDf1v1T68Satkm2pE1ITtymGOVG9tQzv+fK9wlFyjXAxQOE3ctkdMNoHw2i8gm80bj5XZ9EtPrmdrmRdKQHhcAgdhPikTFna1E1DOLoNPPiGFe0RBINIWD5qMR5h2W/5d5biaPoBHxdfDaW1ODPCqVQFjPA/3EA5w16TWPrvXz+kJ12R8ESNRxoR6D62AKigWGWTG6L5gjmz81ysRHCns4RPPfOjfTFZMCv3/UCooIrhlvIAGDnLR6GdRCWsoOPYwv6Imeg6kbVbtizb+cZPPLYLTifXiWhdWhnbEC3GyO1XW8/nHsE2VRGdiko2yevk8gAPJ2N4fviWqj6YxzMxa1+YvmAW/0O9tyiuhY1ar+kKylrgLZIrR7heHIUQ12AT8+KchkwmpdnbonF4+/Kxjj+MOHe9JaijI4S2wnk61Z2AF6uwsFuop8WhVCAgzrqEPAKew6x+zdPhqHyTxiBop95InXF02K9r6f/XCtllUFx1/SB94DvE84PetDEC7LJCioMoC72uLTWcgk6UAsxwIWpBh8wQzNp6BY3AjbjDRBPZWqVKs2uUiHA3gt1s9mIiZfX8JCLTjFRjL/q6KSlbbfUf1uE8ccPSdGsMblRzaqSemyIWGPLpQvvRYlJxs13oqw7wzAWkyn0KENvitxaEXx/pexpeN+w9qI5kXFzcP8QnHYZbP5wjVm96DLtDCPC0+I8DI0pE0FK3kHdUfxf8R0f+x1SVy9HHFaTvQopCaIAe4C8F02bGa4EpM3i4Vr3/h9lErn4iPA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH0PR11MB5444.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(9686003)(86362001)(7696005)(316002)(33656002)(66556008)(6506007)(53546011)(26005)(71200400001)(55016003)(966005)(110136005)(54906003)(76116006)(64756008)(8676002)(4326008)(166002)(66446008)(66476007)(2906002)(66946007)(122000001)(52536014)(508600001)(8936002)(186003)(38070700005)(5660300002)(38100700002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: N6G6VYgCl4qE21AuFfLm/OiRX/+wggnSGy+oCflXJFCqNFv1OvPsXUfbFsEhwjnZ1IwASY7lilKZymprvX9Oti+3iNWIklqyL7dXPJr5KgJlWNE+lWO5FshGcHjYSrmUyqI9wG/w2YvgD3qJM6+gM1Hd0rGhpfXZ0/8zPkU23pL4IQbcAYLkFOCfPVByOtN3EXKiOsz3y7Ync7wowsG5fKQuvnnsyHKHCwe89ogzjxyXJOCqEbkw79RJzRfSsX4OpRSMezfl978W6O6SbZIactpQ1T3y2daeI9KvFpU2lmFh5Z1AwmU1vL8WcDpbkOAvciMa0Tupx1zB3dLCoxaI7A22xolJSo/d/tMhv9zWMJ8MhKOa9fx3BA2I0ei+ewp9AZYPz95aOBAQKXkF88rB9K+wcWDVlmNb0VkHWJAlqane4Rw0l9+j0FezpDv92a9h2UQkhFVrGpr/ZOtKl6+zbQKdXqfoH9DI/neg8aWUySxyB3zfbqx4n42fswrXzE1ZKByU2qIasmF1fqE4EagWNPcovWk3HcYJmyyUfD9gUayYehoQ54YviYU/4zEZWrXMNeipB/IyO6RJqEmXTX/Q/PddcHaPMQWpoHAQOuIOO/Y9TYlDtapVAung5FFeaEPFPVr/Tabl1/lFbK8v9mOZXEwQd3VyGX2ng7TX72sXbsk3BwDDN+e4M5c5svKWKrWjWY6DF2BrVHGuL8jSrluAC4LlVtbz37+k+daMQPrDrFifsG/vdOxHy5FSXMrMblJbMOjziG7Jy7jY0jlkAYN/7Lbo2w6B0KApgbIhQVfVEvbX7w8KHJcdx2qNJnHY7691PNuEnFkSsWHGz7uNKvICxF7pFlRuzX5p/EB7F1ZdZtGiyHD4864IIjOHGkNOMTFN7pIxXJDCWiX2OoQQMRRXMErWDtXzj9TepSm/Qa5iK+2QBumKZfvi26GbMECXpOXVCQjrl3quPHpkCMJxZPWSXa6504NyRP687qab4HiKl7xln22eJwC/fvjVhlzQB6fwXPhBbWjFyK8YilwH3eab9dB5q8r1uHqb7zibRGkaF3dHoAkAXjaVX3H6NqsT3t2eMeOK/GoR6rgbJ1iZ8xxePI+IVkbnPChtp0bh3vqj2pqKDty4ByTJwXAxt7m6cLi0BJmUTpcoFOgw+r9+xVAcOpAuC+By+fOUsOsOu/nEy94ell5HOF1rRWmpfhA4DFiZ1SxHyNzLWNjgR2wCeksj0HZ2pfq7RCvpymH/PBacqi7CdnpGS2VGGUISxcyCgtnAFKMutCP9f3Hn9sCBbKgGDgSNRHUQ9SSUE6Lq4MfojgE8Q+yYc6H8cdcm4xjRbxjAJHtEUynItho7vmzBDYiCxhN4AbwWrjwpaHDYF23TRvqzCBVrYwsBoLgB4PZ8nNnvDkdvRvXjZf1hrNMYDCE+RiPaBpxZlWV4oUTgbrxRtsBAXGqMPdhrJbrGfjP4OAqWJ6kT+F7VxxQDF0I5Q0RJmIZQHBuJa2xQwLvrYRdVt1/J9vZeTBFChPFk4KvuOYnrdGbvfx1bLdKv6tnHAKchDMNkTGA5ESu42a0b53SZLnoVdcfZYUzALx6VK4wgy2n2XbHs/MPBcST9rZ6NPP+EcOeujTp2EoDsdZOr7WjYWqsOAOJvQO5Ka1mN6kL9rjLU6AFVDdqxGgB6vP96EZA4/Xk/Ma1MACdEIbl3LTM9HZNuio6M9RTyPNIzhKacsZeQ04KAWkWC3VECEE3X17Nmyg==
Content-Type: multipart/alternative; boundary="_000_CH0PR11MB544485C64BF43499C0DBBC6FC1D79CH0PR11MB5444namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR11MB5444.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8a85ccba-7d15-4bb8-2ab0-08da3dc7d79a
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 May 2022 20:56:15.1181 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: YRjhp0Pow+oAP2XoXM5zh2g4/QBhZxEXqzAH8TIWiZRq6yPdbx917/qMbgZR0fqXO2g2IX3qTtaN4Nfb2XYAxw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1101MB2144
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.227.252, xfe-rcd-004.cisco.com
X-Outbound-Node: alln-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/zJJjtMVzc1KtFKDjo_O3xqxE3HM>
Subject: Re: [IPsec] diet-esp - How do you know?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2022 20:56:24 -0000

The easiest way would be to assign the first few bits of the SPI to indicate the SPI size; for example, all 8 bit SPIs might be allocated to have the first two bits being 11; all 16 bit SPIs might have those two bits being 10; etc.  That way, an examination of the first few bits of the SPI would unambiguously give you the SPI size.

Obviously, this doesn’t apply to a ‘0 byte SPI’.  I have no idea how that is intended to be processed; does that mean that the decrypter is expected to just try to decrypt the packet with all the SAs he has and see which one worked?

From: IPsec <ipsec-bounces@ietf.org> On Behalf Of Daniel Migault
Sent: Tuesday, May 24, 2022 4:48 PM
To: Robert Moskowitz <rgm-sec@htt-consult.com>
Cc: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>; IPsecME WG <ipsec@ietf.org>
Subject: Re: [IPsec] diet-esp - How do you know?

The issue only comes when a gateway wants to support all sizes of SPIs 0 - 1 - 2 - 3 - 4 bytes - which is very unlikely. For a deterministic lookup, I would suggest using IP addresses and the minimum allowed byted compressed SPI.
If you use 2 - 3 bytes, the likelihood of collision might still be very low to support an additional signature check.

Yours,
Daniel

On Tue, May 24, 2022 at 4:30 PM Robert Moskowitz <rgm-sec@htt-consult.com<mailto:rgm-sec@htt-consult.com>> wrote:
That is the 'easy' part.

What does the code do when it receives an ESP packet?  How do it know that it is a diet-esp packet and apply the rules?

Next Header just says: ESP.
On 5/24/22 16:23, Daniel Migault wrote:
This is correct. IKEv2 is used both to agree on the use of Diet-ESP as well as values to be used for the compression/decompression.

Yours,
Daniel

On Tue, May 24, 2022 at 11:14 AM Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org<mailto:40aiven.io@dmarc.ietf.org>> wrote:

On Sun, May 22, 2022 at 9:20 PM Robert Moskowitz <rgm-sec@htt-consult.com<mailto:rgm-sec@htt-consult.com>> wrote:
I think there is something else I am missing here.

How does the receiving system 'know' that the packet is a diet-esp packet?

https://datatracker.ietf.org/doc/html/draft-mglt-ipsecme-ikev2-diet-esp-extension-02

It's negotiated with IKEv2.

I guess the IKE stack has to signal this to the ESP implementation on what to expect when
the policy is installed ?

Paul

_______________________________________________
IPsec mailing list
IPsec@ietf.org<mailto:IPsec@ietf.org>
https://www.ietf.org/mailman/listinfo/ipsec


--
Daniel Migault
Ericsson


_______________________________________________

IPsec mailing list

IPsec@ietf.org<mailto:IPsec@ietf.org>

https://www.ietf.org/mailman/listinfo/ipsec



--
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email