[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ESP Pad byte changes
In the interest of 'being strict on what we send and liberal on what we
accept/receive', we are sending the incrementing pad values according to the
spec, but not checking them on receipt. As long as you know the right number
of pad bytes to process, I don't see the value in checking contents; after
all they *pad* bytes.
-Bob
-----Original Message-----
From: Jackie Wilson <jhwilson@austin.ibm.com>
To: ipsec@tis.com <ipsec@tis.com>
Date: Wednesday, April 08, 1998 10:38 PM
Subject: ESP Pad byte changes
>I was wondering how many implementations are numbering the pad bytes and
>checking the values as indicated in the latest ESP draft. This seems to be
a
>problem that if you check the values, you may not be able to interoperate
with
>many ipsec implementations. I realize this is a 'should' issue, but this
>is a low-level detail I don't want to surface to the user to turn on or
>off. In addition, it is not an attribute that can be negotiated with
>ISAKMP/Oakley. Is checking the pad numbering strategic, do most
implementers
>plan on doing it? Are most people making this a configurable option? If
it's
>not being done now, are people planning on doing it soon (ie 1998)? If it
>is not important from a security standpoint to have it, then why is it in
>the draft?
>
>For all the noise made about freezing the drafts, I question the decision
>to add this in the last round of changes to ESP.
>
>Just wondering what others thought.
>
>Jackie
>--
>Jacqueline Wilson | Phn: (512) 838-2702
>IBM, AIX/6000 | Fax: (512) 838-3509
>11400 Burnet Road ZIP 9551 | Ext: 8-2702 Tie-Line: 678
>Austin, TX 78758-3493 | inet: jhwilson@austin.ibm.com
>
>