I agree, maybe we should be more explicit in the security consideration. I think at the time we wrote it, we did not want to define a SPI format and leave it to the implementer. But I agree mentioning it as an example would be clarifying. An example where a 0 byte SPI could be used is when the pairing is performed by lower layers - like a remote garage door.
Yours, Daniel On Tue, May 24, 2022 at 4:56 PM Scott Fluhrer (sfluhrer) <sfluh...@cisco.com> wrote: > The easiest way would be to assign the first few bits of the SPI to > indicate the SPI size; for example, all 8 bit SPIs might be allocated to > have the first two bits being 11; all 16 bit SPIs might have those two bits > being 10; etc. That way, an examination of the first few bits of the SPI > would unambiguously give you the SPI size. > > > > Obviously, this doesn’t apply to a ‘0 byte SPI’. I have no idea how that > is intended to be processed; does that mean that the decrypter is expected > to just try to decrypt the packet with all the SAs he has and see which one > worked? > > > > *From:* IPsec <ipsec-boun...@ietf.org> *On Behalf Of *Daniel Migault > *Sent:* Tuesday, May 24, 2022 4:48 PM > *To:* Robert Moskowitz <rgm-...@htt-consult.com> > *Cc:* Paul Wouters <paul.wouters=40aiven...@dmarc.ietf.org>; IPsecME WG < > ipsec@ietf.org> > *Subject:* Re: [IPsec] diet-esp - How do you know? > > > > The issue only comes when a gateway wants to support all sizes of SPIs 0 - > 1 - 2 - 3 - 4 bytes - which is very unlikely. For a deterministic lookup, I > would suggest using IP addresses and the minimum allowed byted compressed > SPI. > > If you use 2 - 3 bytes, the likelihood of collision might still be very > low to support an additional signature check. > > > > Yours, > > Daniel > > > > On Tue, May 24, 2022 at 4:30 PM Robert Moskowitz <rgm-...@htt-consult.com> > wrote: > > That is the 'easy' part. > > What does the code do when it receives an ESP packet? How do it know that > it is a diet-esp packet and apply the rules? > > Next Header just says: ESP. > > On 5/24/22 16:23, Daniel Migault wrote: > > This is correct. IKEv2 is used both to agree on the use of Diet-ESP as > well as values to be used for the compression/decompression. > > > > Yours, > Daniel > > > > On Tue, May 24, 2022 at 11:14 AM Paul Wouters <paul.wouters= > 40aiven...@dmarc.ietf.org> wrote: > > > > On Sun, May 22, 2022 at 9:20 PM Robert Moskowitz <rgm-...@htt-consult.com> > wrote: > > I think there is something else I am missing here. > > How does the receiving system 'know' that the packet is a diet-esp packet? > > > > > https://datatracker.ietf.org/doc/html/draft-mglt-ipsecme-ikev2-diet-esp-extension-02 > > > > It's negotiated with IKEv2. > > > > I guess the IKE stack has to signal this to the ESP implementation on what > to expect when > > the policy is installed ? > > > > Paul > > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > > > > -- > > Daniel Migault > > Ericsson > > > > _______________________________________________ > > IPsec mailing list > > IPsec@ietf.org > > https://www.ietf.org/mailman/listinfo/ipsec > > > > > > > -- > > Daniel Migault > > Ericsson > -- Daniel Migault Ericsson
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
