Grewal, Ken writes: > >- A question: did the WG discuss the pros and cons of integrity > >protecting the WESP header? (This does make WESP more complex to > >implement, and currently the WESP header does not contain any data > >that would benefit from integrity protection in any way.) > [Ken] This change was the result of a discussion on threats posed by > 'malware', which could modify the WESP headers to obfuscate the > payload from inspection by intermediate nodes such as IDS/IPS > systems. > The issue (ticket #104) was raised and closed some time back after > lengthy discussions on the topic. > http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/104
As everything in the WESP header is something that can be verified by the recipient node why is the integrity protection needed? I think it would make implementation WESP much easier if it can be done as post processing step after ESP has been applied, in a similar way UDP encapsulation can be done to the ESP packet. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
