[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: An architectural draft

To: Hiroki Ishibashi <bashi@ipv6.nec.co.jp>
Subject: Re: An architectural draft
From: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>
Date: Wed, 28 May 2003 23:18:39 +0859 ()
Cc: multi6@ops.ietf.org
In-reply-to: <7CC324FA5CA109bashi@ipv6.nec.co.jp> from Hiroki Ishibashi at "May28, 2003 06:20:21 pm"

Ishibashi san;

> >3.3 IPSEC
> >
> >   ESP is purely optional and should be implemented as Protocol 50. SPI
> >   works as port numbers for resource reservation (if any).  AH is
> >   forbidden because its functionality overridden by ESP and its SPI is
> >   not located at port number part.
> 
> 
> If my understanding is correct, integrity check including IP header
> cannot be done with ESP.  AH can do that.

An interesting point (on how IPSEC sucks).

First, which part of IP header, do you want to check the integrity?

Once a host receives a packet and delivers it to some application
using SPI (which is why SPI is equivalent to port information), no
information in IP header is no longer necessary and it is too
late to check integrity of information in IP header.

Note that, unlike CIP, SIPA does not have IP options which could
have complex and unpredicatable interaction with IPSEC.

Secondely, it is my understanding of IPSEC that, while a mandatory
transform, DES-CBC, does not provide integrity check (involving IP
headers), other transforms can. And, who use DES, these days?

							Masataka Ohta

Follow-Ups:
- Re: An architectural draft
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

References:
- Re: An architectural draft
  - From: Hiroki Ishibashi <bashi@ipv6.nec.co.jp>

Prev by Date: Re: An architectural draft
Next by Date: Re: An architectural draft
Previous by thread: Re: An architectural draft
Next by thread: Re: An architectural draft
Index(es):
- Date
- Thread