[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New draft -- IPSEC ESP

Nice work on the ESP doc. I have a few small comments questions.

>2.3  Payload Data
>   If the algorithm used to encrypt
>   the payload requires cryptographic synchronization data, e.g., an IV,
>   then this data MAY be carried explicitly in the Payload field.  Any
>   encryption algorithm that requires such explicit, per-packet
>   synchronization data MUST indicate the length and any structure for
>   such data, as part of an RFC specifying how the algorithm is used
>   with ESP.  If such synchronization data is implicit, the algorithm
>   for deriving the data MUST be part of the RFC.

Does this imply that the alg-specific per-packet sync data will be located
at the start of the payload, immediately following the Sequence Number
field? It's not clear, and I don't know if it should be a requirement or
not. If it is intended to imply that it has to be located at the beginning
of the payload, then that should be made explicit (not that I can imagine
where else it would be located at the moment).

>   3.1 ESP Header Location
>                     AFTER APPLYING ESP
>            ---------------------------------------------------------
>      IPv6  | orig |hxh,rtg,frag|dest|ESP|dest|   |    | ESP   | ESP|
>            |IP hdr|if present**|opt*|Hdr|opt*|TCP|Data|Trailer|Auth|
>            ---------------------------------------------------------
>                                         |<---- encrypted ---->|
>                                     |<---- authenticated ---->|
>                * = if present, could be before AH, after AH, or both
                                                 ^^        ^^
Shouldn't these be "ESP"?

>3.2.5  Fragmentation
>   If necessary, fragmentation is performed after ESP processing within
>   an IPsec implementation.  Thus, transport mode ESP is applied only to
>   whole IP datagrams (not to IP fragments).  An IP packet to which ESP
>   has been applied may itself be fragmented by routers en route, and
>   such fragments must be reassembled prior to AH processing at a
Shouldn't this be "ESP" too?

Lastly, when can we expect a revised Security Architecture document. There
are a couple of references to it in the ESP doc where the referenced info
would be of great help.