Re: [IPsec] Next Header field in WESP header

To: Tero Kivinen <kivinen at iki.fi>, gabriel montenegro <g_e_montenegro at yahoo.com>
Subject: Re: [IPsec] Next Header field in WESP header
From: "Bhatia, Manav (Manav)" <manav at alcatel-lucent.com>
Date: Tue, 12 May 2009 16:17:39 +0530
Accept-language: en-US
Acceptlanguage: en-US
Cc: "ipsec at ietf.org" <ipsec at ietf.org>
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <18953.15045.697978.618223 at fireball.kivinen.iki.fi>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <18935.5198.554334.837387 at fireball.kivinen.iki.fi> <C49B4B6450D9AA48AB99694D2EB0A48317C30707 at rrsmsx505.amr.corp.intel.com> <7F9A6D26EB51614FBF9F81C0DA4CFEC8D9ACEC58FB at il-ex01.ad.checkpoint.com> <4A00ABA9.4090201 at sandelman.ca> <7C362EEF9C7896468B36C9B79200D83503604B5B50 at INBANSXCHMBSA1.in.alcatel-lucent.com> <714328.31562.qm at web82605.mail.mud.yahoo.com> <18953.15045.697978.618223 at fireball.kivinen.iki.fi>
Thread-index: AcnS4C/QGk1Dp6mWSTWauIafH+xFpwAAdyUg
Thread-topic: [IPsec] Next Header field in WESP header

There are a lot of boxes deployed in the field that cant do what you seem to be suggesting. 

If we are to pick up the "Next Header" from the ESP trailer then we need to parse the entire packet with the variability in the ICV length. This would entail storing the entire IPv4/Ipv6 packet (coming at line rate) in the silicon's buffer which would need to be really large. Not many boxes would be able to do that. However, if we specify the "Next Header" in the WESP header than most HWs capable of deep inspecting the first 128 bytes would be able to discern the packet.

Is there an issue in keeping "Next Header" in the WESP header? I see an advantage in doing so. Would like to hear arguments against it!

Cheers, Manav

> -----Original Message-----
> From: Tero Kivinen [mailto:kivinen at iki.fi] 
> Sent: Tuesday, May 12, 2009 2.31 PM
> To: gabriel montenegro
> Cc: Bhatia, Manav (Manav); ipsec at ietf.org
> Subject: Re: [IPsec] Next Header field in WESP header
> 
> gabriel montenegro writes:
> > Your point below about Next Header being useful is specially
> > valuable as it is from someone involved in developing these boxes.
> 
> If the box can do IPv6 header processing (which do require similar
> offset calculations) to find the WESP header in the first place, then
> doing packet length - ICV length (from packet) and get byte from there
> is not that complicated and hardware can most likely do that already.
> 
> And I hope nobody is designing new hardware now which cannot do IPv6
> processing... 
> -- 
> kivinen at iki.fi
>

Follow-Ups:
- Re: [IPsec] Next Header field in WESP header
  - From: Tero Kivinen

References:
- [IPsec] Comments to draft-ietf-ipsecme-ikev2-redirect-08
  - From: Tero Kivinen
- [IPsec] Issue #93: Next header value in tunnel mode for WESP
  - From: Grewal, Ken
- Re: [IPsec] Issue #93: Next header value in tunnel mode for WESP
  - From: Yaron Sheffer
- Re: [IPsec] Issue #93: Next header value in tunnel mode for WESP
  - From: Michael Richardson
- [IPsec] Next Header field in WESP header
  - From: Bhatia, Manav (Manav)
- Re: [IPsec] Next Header field in WESP header
  - From: gabriel montenegro
- Re: [IPsec] Next Header field in WESP header
  - From: Tero Kivinen

Prev by Date: Re: [IPsec] Next Header field in WESP header
Next by Date: Re: [IPsec] IV in ESP packets for DES and 3DES methods
Previous by thread: Re: [IPsec] Next Header field in WESP header
Next by thread: Re: [IPsec] Next Header field in WESP header
Index(es):
- Date
- Thread

Re: [IPsec] Next Header field in WESP header

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.