Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visibility

Yes, this was discussed in the WG (http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/104) and the idea was this: We could have some malicious entity that could modify the offsets to ensure that the intermediaries don't parse a portion of the payload (which could contain malicious content) or in

Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visibility

Are you suggesting that ESP ICV should not cover the WESP fields? I think, and my memory could be failing me, that this was discussed in the WG before this got added to the draft. Jack On Tue, Dec 29, 2009 at 2:15 AM, Stephen Kent wrote: > Yaron, > > I hate to admit it, but I lost track of the

Re: [IPsec] DISCUSS: draft-ietf-ipsecme-traffic-visibility

Yaron, I hate to admit it, but I lost track of the details of WESP as it progressed through WG discussions and briefings at IETF meetings. When I read the I-D in detail, I was very surprised to see that it was no longer a neatly-layered wrapper, as originally proposed. The fact that it now c

Re: [IPsec] Proposed work item: Childless IKE SA

At 8:20 AM +0530 12/18/09, Raj Singh wrote: ... IKE is Internet Key Exchange protocol NOT IPsec Key Exchange protocol. IKEv2 is not just a mean of exchanging keys but its a full package. This package provides mutual authentication, keys and readiness to secure data as needed. The main motivati

Re: [IPsec] Clarifying what happens with INITIAL_CONTACT

> Looks good to me. Agreed. Scott Moonen (smoo...@us.ibm.com) z/OS Communications Server TCP/IP Development http://www.linkedin.com/in/smoonen From: Yaron Sheffer To: Paul Hoffman , IPsecme WG Date: 12/28/2009 11:08 AM Subject: Re: [IPsec] Clarifying what happens with INITIAL_CONTACT Look

Re: [IPsec] Clarifying what happens with INITIAL_CONTACT

Looks good to me. Yaron -Original Message- From: Paul Hoffman [mailto:paul.hoff...@vpnc.org] Sent: Monday, December 28, 2009 17:36 To: Yaron Sheffer; IPsecme WG Subject: Re: [IPsec] Clarifying what happens with INITIAL_CONTACT At 5:28 PM +0200 12/28/09, Yaron Sheffer wrote: >You

Re: [IPsec] Clarifying what happens with INITIAL_CONTACT

At 5:28 PM +0200 12/28/09, Yaron Sheffer wrote: >You are adding two MUSTs, which we SHOULD NOT do unless we have very good >reasons, such as interop problems, security issues, or major functionality >problems (like memory leaks). I'm not sure any of these apply, so I suggest >that you change the

Re: [IPsec] Clarifying what happens with INITIAL_CONTACT

Hi Paul, You are adding two MUSTs, which we SHOULD NOT do unless we have very good reasons, such as interop problems, security issues, or major functionality problems (like memory leaks). I'm not sure any of these apply, so I suggest that you change the wording to be non-normative. Thanks,

Re: [IPsec] Some IPSEC/IKE NAT Issues

Hi Syed, On Mon, Dec 28, 2009 at 5:51 PM, Syed Ajim Hussain wrote: > > > Hi All >I have some doubt about NAT With IPSEC/IKE , > > Example Take a Topology : > > IKE_PEER1 --- NAT1 NAT2 Server---IKE_PEER3 > (1.1.1.1) | (1.1.1.10) (2.1.1.1) (2.1.1.2) (

[IPsec] Some IPSEC/IKE NAT Issues

Hi All I have some doubt about NAT With IPSEC/IKE , Example Take a Topology : IKE_PEER1 --- NAT1 NAT2 Server---IKE_PEER3 (1.1.1.1) | (1.1.1.10) (2.1.1.1) (2.1.1.2) (3.1.1.1) | IKE_PEER2 | (1.1.1.2)