Dan, > > You trust the end nodes to negotiate WESP and encapsulate their ESP > packets in WESP but you don't trust the content they put into those > packets. Is that the trust model you're operating on?
No. We trust the end nodes to put the right information in the WESP header. But, we don't trust the intermediaries, that could have mangled the packet so that it goes through the firewall/deep inspection device. If that happens, then the packet should not be consumed, which would make the attack by a malicious middle box worthless. Hope this helps. Manav > > The more I think of this problem the more worthless WESP becomes. > > Dan. > > On Mon, January 11, 2010 1:02 am, Bhatia, Manav (Manav) wrote: > > I believe Ken is alluding to removing the WESP header from the ICV > > calculation, and relying on explicitly checking the WESP > header at the > > endnodes. > > > > Cheers, Manav > > > >> -----Original Message----- > >> From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] > >> On Behalf Of pasi.ero...@nokia.com > >> Sent: Monday, January 11, 2010 1.59 PM > >> To: ken.gre...@intel.com > >> Cc: ipsec@ietf.org > >> Subject: Re: [IPsec] Traffic visibility - consensus call > >> > >> Ken Grewal wrote: > >> > >> > The either-or on using an ICV or explicitly checking the > WESP header > >> > on the recipient was based on the assumption that the threat does > >> > not come from the sender and only from some other > malicious entity > >> > after the packet has been sent. > >> > > >> > This was the reason for simplifying the header check by using the > >> > ICV, instead of explicitly checking every field. > >> > >> Note that the current draft *does* explicitly check ever field. > >> Are you proposing removing those checks? > >> > >> Best regards, > >> Pasi > >> (not wearing any hats) > >> _______________________________________________ > >> IPsec mailing list > >> IPsec@ietf.org > >> https://www.ietf.org/mailman/listinfo/ipsec > >> > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > > > > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
