I believe Ken is alluding to removing the WESP header from the ICV calculation, and relying on explicitly checking the WESP header at the endnodes.
Cheers, Manav > -----Original Message----- > From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] > On Behalf Of pasi.ero...@nokia.com > Sent: Monday, January 11, 2010 1.59 PM > To: ken.gre...@intel.com > Cc: ipsec@ietf.org > Subject: Re: [IPsec] Traffic visibility - consensus call > > Ken Grewal wrote: > > > The either-or on using an ICV or explicitly checking the WESP header > > on the recipient was based on the assumption that the threat does > > not come from the sender and only from some other malicious entity > > after the packet has been sent. > > > > This was the reason for simplifying the header check by using the > > ICV, instead of explicitly checking every field. > > Note that the current draft *does* explicitly check ever field. > Are you proposing removing those checks? > > Best regards, > Pasi > (not wearing any hats) > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
