On 5/21/22 07:13, Michael Richardson wrote:
Robert Moskowitz <rgm-...@htt-consult.com> wrote:
> This is an item that goes back to the beginning of ESP work:
> Minimally, how does the higher level 'learn' that it is secure:
Are you asking how *TCP* learns of this, or how an application with an open
socket(2) learns of this?
App TCP or UDP.
> Encrypted/Authenticated/CrCed... ?
> And as ESP has a seq#, how might it be convied to the higher layer?
Do you mean replay counter here, or did you mean SPI?
SPI SHOULD have no value to the higher layer. It is the actual Seq #
that may be of value.
Preferably, never, because it will get rekeyed, so really, whatever you want
to do really needs to be communicated abstracted to the key daemon, who will
do the right thing, and keep track of updates to the SPI#
> Case in point: MAVlink has a 1-byte seq# in its payload. How might
> this be provided by ESP?
Now I think maybe you really do mean sequence/replay counter.
Yes.
> https://mavlink.io/en/guide/message_signing.html
> So I have been thinking about this vis-a-vis diet-esp. What is the
> mechanism/trigger that can best work across a number of higher layers
> to inform of operating environment and values available (seq#)?
> Is this done anywhere now?
Doubtful.
MAVlink does its own seq# processing, so if I squeeze it out in
transporting the MAVlink packet, I need to rebuild it when passing it up
to MAVlink. Now a formal SCHC layer SHOULD be able to do this. One
would think.
There are other layer 5 protocols with Seq #. Like RTP.
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
