Manav, So let's say the normal (removed WESP header) ICV calculations by ESP are correct but something doesn't match between the (now unprotected) WESP header and the rest of the packet. Why should the recipient care? WESP is for middleboxes. The end node has an assurance that the _meaningful_ portion of the frame was sent by the claimed sender and was not modified in transit. Any decisions made by a middlebox that might've involved an improperly modified WESP header are over and done with. He doesn't care if the packet was properly handled by middleboxes or not, he got it and it's correct.
You trust the end nodes to negotiate WESP and encapsulate their ESP packets in WESP but you don't trust the content they put into those packets. Is that the trust model you're operating on? The more I think of this problem the more worthless WESP becomes. Dan. On Mon, January 11, 2010 1:02 am, Bhatia, Manav (Manav) wrote: > I believe Ken is alluding to removing the WESP header from the ICV > calculation, and relying on explicitly checking the WESP header at the > endnodes. > > Cheers, Manav > >> -----Original Message----- >> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] >> On Behalf Of pasi.ero...@nokia.com >> Sent: Monday, January 11, 2010 1.59 PM >> To: ken.gre...@intel.com >> Cc: ipsec@ietf.org >> Subject: Re: [IPsec] Traffic visibility - consensus call >> >> Ken Grewal wrote: >> >> > The either-or on using an ICV or explicitly checking the WESP header >> > on the recipient was based on the assumption that the threat does >> > not come from the sender and only from some other malicious entity >> > after the packet has been sent. >> > >> > This was the reason for simplifying the header check by using the >> > ICV, instead of explicitly checking every field. >> >> Note that the current draft *does* explicitly check ever field. >> Are you proposing removing those checks? >> >> Best regards, >> Pasi >> (not wearing any hats) >> _______________________________________________ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec >> > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
