IETF Logo Mail Archive

[IPsec] I-D Action:draft-ietf-ipsecme-traffic-visibility-08.txt

Tero Kivinen <kivinen@iki.fi> Thu, 03 September 2009 09:38 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0B5333A6816 for <ipsec@core3.amsl.com>; Thu, 3 Sep 2009 02:38:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.577
X-Spam-Level:
X-Spam-Status: No, score=-2.577 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 71EOIVLssRir for <ipsec@core3.amsl.com>; Thu, 3 Sep 2009 02:38:33 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id B31BE28C107 for <ipsec@ietf.org>; Thu, 3 Sep 2009 02:36:40 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.13.8) with ESMTP id n839P8DR019296 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ipsec@ietf.org>; Thu, 3 Sep 2009 12:25:08 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id n839P8T3021579; Thu, 3 Sep 2009 12:25:08 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19103.35700.506013.687392@fireball.kivinen.iki.fi>
Date: Thu, 03 Sep 2009 12:25:08 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
In-Reply-To: <20090901160002.0A34B3A7003@core3.amsl.com>
References: <20090901160002.0A34B3A7003@core3.amsl.com>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 9 min
X-Total-Time: 13 min
Subject: [IPsec] I-D Action:draft-ietf-ipsecme-traffic-visibility-08.txt
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Sep 2009 09:38:34 -0000

Internet-Drafts@ietf.org writes:
> 	Title           : Wrapped ESP for Traffic Visibility
> 	Author(s)       : K. Grewal, et al.
> 	Filename        : draft-ietf-ipsecme-traffic-visibility-08.txt
> 	Pages           : 15
> 	Date            : 2009-09-01

Found out one more nit in the WESP draft. It now says:

    Flags, 8 bits: The bits are defined LSB first, so bit 0 would be
    the least significant bit of the flags octet.

and then defines flags from MSB first without specifying bit numbers
and those bit numbers based on the picture are 5-7. This is bit
confusing. So I propose that you add the explicit bit numbers to the
descriptions i.e. add "bits 6-7" to version and "bit 5" to
description.

On the other hand your picture is using MSB order, i.e. bit number 0
is the most significant bit, and flags is bits 24-31, so it would make
sense to define bits inside the flags also in MSB order, i.e. change
the text to:
----------------------------------------------------------------------
   Flags, 8 bits: The bits are defined MSB first, so bit 0 would be 
   the most significant bit of the flags octet. 

       2 bits (bits 0-1): Version (V). MUST be sent as 0 and checked
   by the receiver. If the version is different than an expected
   version number (e.g. negotiated via the control channel), then the
   packet must be dropped by the receiver. Future modifications to the
   WESP header may require a new version number. Intermediate nodes
   dealing with unknown versions are not necessarily able to parse the
   packet correctly. Intermediate treatment of such packets is
   policy-dependent (e.g., it may dictate dropping such packets).

       1 bit (bit 2): Encrypted Payload (E). Setting the Encrypted
   Payload bit to 1 indicates that the WESP (and therefore ESP)
   payload is protected with encryption. If this bit is set to 0, then
   the payload is using ESP-NULL cipher. Setting or clearing this bit
   also impacts the value in the WESP Next Header field, as described
   above. The recipient MUST ensure consistency of this flag with the
   negotiated policy and MUST drop the incoming packet otherwise.

       5 bits (bits 3-7): Flags, reserved for future use. The flags
   MUST be sent as 0, and ignored by the receiver. Future documents
   defining any of these flags MUST NOT affect the distinction between
   encrypted and unencrypted packets. Intermediate nodes dealing with
   unknown flags are not necessarily able to parse the packet
   correctly. Intermediate treatment of such packets is
   policy-dependent (e.g., it may dictate dropping such packets).
----------------------------------------------------------------------

I am actually not sure if we have properly defined bit order for IETF
use. In pictures we use MSB bit first numbering, but in some other
places we have used LSB bit numbering (like RFC4306 uses for its
flags).

If you want to keep LSB bit ordering inside the flags then text would
be:

----------------------------------------------------------------------
   Flags, 8 bits: The bits are defined LSB first, so bit 0 would be 
   the least significant bit of the flags octet. 

       2 bits (bits 6-7): Version (V). MUST be sent as 0 and checked
   by the receiver. If the version is different than an expected
   version number (e.g. negotiated via the control channel), then the
   packet must be dropped by the receiver. Future modifications to the
   WESP header may require a new version number. Intermediate nodes
   dealing with unknown versions are not necessarily able to parse the
   packet correctly. Intermediate treatment of such packets is
   policy-dependent (e.g., it may dictate dropping such packets).

       1 bit (bit 5): Encrypted Payload (E). Setting the Encrypted
   Payload bit to 1 indicates that the WESP (and therefore ESP)
   payload is protected with encryption. If this bit is set to 0, then
   the payload is using ESP-NULL cipher. Setting or clearing this bit
   also impacts the value in the WESP Next Header field, as described
   above. The recipient MUST ensure consistency of this flag with the
   negotiated policy and MUST drop the incoming packet otherwise.

       5 bits (bits 0-4): Flags, reserved for future use. The flags
   MUST be sent as 0, and ignored by the receiver. Future documents
   defining any of these flags MUST NOT affect the distinction between
   encrypted and unencrypted packets. Intermediate nodes dealing with
   unknown flags are not necessarily able to parse the packet
   correctly. Intermediate treatment of such packets is
   policy-dependent (e.g., it may dictate dropping such packets).
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email