I believe Ken is alluding to removing the WESP header from the ICV calculation, and relying on explicitly checking the WESP header at the endnodes.
Cheers, Manav > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of [email protected] > Sent: Monday, January 11, 2010 1.59 PM > To: [email protected] > Cc: [email protected] > Subject: Re: [IPsec] Traffic visibility - consensus call > > Ken Grewal wrote: > > > The either-or on using an ICV or explicitly checking the WESP header > > on the recipient was based on the assumption that the threat does > > not come from the sender and only from some other malicious entity > > after the packet has been sent. > > > > This was the reason for simplifying the header check by using the > > ICV, instead of explicitly checking every field. > > Note that the current draft *does* explicitly check ever field. > Are you proposing removing those checks? > > Best regards, > Pasi > (not wearing any hats) > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec > _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
