Russ, I think we agree here: the end nodes need to validate the WESP header info.
As I noted before, one could do this by modifying the ICV or by explicitly checking those WESP fields at the end nodes. I think there has been enough feedback to the effect that modifying the ICV is overkill and has some down sides. So, ok, I think in the next rev of the draft we should go back to *not* modifying the ICV (i.e., not including the WESP header fields in the ICV). This would leave WESP as a wrapper (as it started). The other threads and messages are hopefully addressing your other concerns. thanks, Gabriel ----- Original Message ---- > From: Russ Housley <hous...@vigilsec.com> > To: gabriel montenegro <g_e_montene...@yahoo.com> > Cc: "ipsec@ietf.org" <ipsec@ietf.org> > Sent: Tue, January 5, 2010 2:52:24 PM > Subject: Re: [IPsec] Traffic visibility - consensus call > > Gabriel: > > > Some of us believe that allowing WESP to carry encrypted packets is within > > the > charter > > (there's some recent messages today to this effect). Unfortunately, there's > been wording along the lines > > that the working group realized it was going off-charter, but no such > conclusion has been > > arrived at (and some of us don't share it). > > I see the discussion, but so far, I am not convinced by it. I'm still > listening > ... > > > Additionally, allowing WESP to carry encrypted packets does not (at least > > in > my mind) > > make it a general alternative for ESP. WESP has certain applicabilities, > > and > when > > cooperating with intermediaries is not an issue (e.g., outside of > organizational deployments) > > one could use encrypted ESP packets instead. > > It is a replacement (as opposed to a wrapper) if the portions of the packet > that > are covered by the ICV are different. > > Russ > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
