[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSEC and TCP headers



Has the IPSEC group ever considered a variation to the transport mode which, if
TCP were being used on a flow, would leave the TCP header unencrypted and 
unauthenticated?  If TCP were not being used, the normal transport mode would
be used; e.g.:

                 BEFORE APPLYING ESP
           ----------------------------------
     IPv4  |orig IP hdr  | TCP    | TCP     |
           |(any options)| header | payload |
           ----------------------------------

                 AFTER APPLYING ESP
          --------------------------------------------------------------       
     IPv4 |orig IP hdr  | Orig TCP hdr) | ESP | TCP     |   ESP   | ESP|       
          |(any options)| (any options) | Hdr | payload | Trailer |Auth|       
          --------------------------------------------------------------       
                                              |<-- encrypted ---->|        
                                        |<----- authenticated --->|        

Such an approach would allow various strategies aimed at improving TCP
performance over challenging network segments (e.g., TCP snoop) to be deployed
in a transit network, particularly wireless networks.  While such an approach 
might leave flows vulnerable to malicious TCP spoofing, if additional security 
measures were adopted by the wireless network to eliminate unauthorized 
spoofing, this method would be useful.

Has the group considered this approach before (I could not find discussion
of it on the list archive or the internet drafts)?   

Thanks,
Tom Henderson
EECS Dept., UC Berkeley
tomh@cs.berkeley.edu





Follow-Ups: