Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

To: "Bhatia, Manav (Manav)" <manav at alcatel-lucent.com>
Subject: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
From: Tero Kivinen <kivinen at iki.fi>
Date: Fri, 13 Feb 2009 15:41:18 +0200
Cc: "ipsec at ietf.org" <ipsec at ietf.org>, "Grewal, Ken" <ken.grewal at intel.com>, Dragan Grebovich <dragan at nortel.com>
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <7C362EEF9C7896468B36C9B79200D8357901B1EA at INBANSXCHMBSA1.in.alcatel-lucent.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <34B3EAA5B3066A42914D28C5ECF5FEA418762035 at zrtphxm2.corp.nortel.com> <18824.17079.363126.331101 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4830CDF22E0 at rrsmsx505.amr.corp.intel.com> <18826.54339.452491.244002 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4830D0DD886 at rrsmsx505.amr.corp.intel.com> <18832.15242.707313.57888 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A4830D2202A3 at rrsmsx505.amr.corp.intel.com> <18834.48954.47580.62256 at fireball.kivinen.iki.fi> <7C362EEF9C7896468B36C9B79200D8357901AFF1 at INBANSXCHMBSA1.in.alcatel-lucent.com> <18837.25098.49974.508923 at fireball.kivinen.iki.fi> <7C362EEF9C7896468B36C9B79200D8357901B1EA at INBANSXCHMBSA1.in.alcatel-lucent.com>

Bhatia, Manav (Manav) writes:
> > You gave reasons why ESP-NULL is needed, not why ESP-NULL visibility
> > is needed. 
> 
> One might want to filter OSPFv3 packets coming from outside the domain.

It is much better to do that check on the OSPFv3 receiver end where
the packet is actually authenticated by ESP-NULL, and which has much
better knowledge who is authorized to send what.

I do not know OSPFv3 that well, so I do not know how you tell which
packets are coiming outside of domain (as IP-addresses are not
authenticated in ESP-NULL, so those cannot be checked), so I cannot
really tell whether that check is doable or not.

So what are the exact checks you are doing and where inside the OSFPv3
packet content are those fields, and what do they gain compared of
doing the same checks on the final OSPFv3 receiver?

> Then when you're the end node, you might want to prioritize some
> OSPF packets over the others. I understand that the latter is an
> implementation specific issue, but it helps if the underlying
> protocol is amenable for deep inspection. 

End node already has all ESP-NULL related information, there is no
need for ESP-NULL visibility there.
-- 
kivinen at iki.fi

References:
- [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Dragan Grebovich
- [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Grewal, Ken
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Bhatia, Manav (Manav)
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Tero Kivinen
- Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
  - From: Bhatia, Manav (Manav)

Prev by Date: Re: [IPsec] Question on RFC 4718 section 5.11.8. Collisions with IKE_SA Rekeying
Next by Date: [IPsec] First cut of the IETF 74 agenda
Previous by thread: Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments
Next by thread: [IPsec] [draft-ietf-ipsecme-roadmap-00] Comments about references
Index(es):
- Date
- Thread

Re: [IPsec] draft-kivinen-ipsecme-esp-null-heuristics comments

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.