Re: ESP Pad byte changes

["Bob Monsour" <rmonsour@hifn.com>]

In the interest of 'being strict on what we send and liberal on what we
accept/receive', we are sending the incrementing pad values according to the
spec, but not checking them on receipt. As long as you know the right number
of pad bytes to process, I don't see the value in checking contents; after
all they *pad* bytes.

-Bob

-----Original Message-----
From: Jackie Wilson <jhwilson@austin.ibm.com>
To: ipsec@tis.com <ipsec@tis.com>
Date: Wednesday, April 08, 1998 10:38 PM
Subject: ESP Pad byte changes


>I was wondering how many implementations are numbering the pad bytes and
>checking the values as indicated in the latest ESP draft.  This seems to be
a
>problem that if you check the values, you may not be able to interoperate
with
>many ipsec implementations.  I realize this is a 'should' issue, but this
>is a low-level detail I don't want to surface to the user to turn on or
>off.  In addition, it is not an attribute that can be negotiated with
>ISAKMP/Oakley.  Is checking the pad numbering strategic, do most
implementers
>plan on doing it?  Are most people making this a configurable option?  If
it's
>not being done now, are people planning on doing it soon (ie 1998)? If it
>is not important from a security standpoint to have it, then why is it in
>the draft?
>
>For all the noise made about freezing the drafts, I question the decision
>to add this in the last round of changes to ESP.
>
>Just wondering what others thought.
>
>Jackie
>--
>Jacqueline Wilson          | Phn:  (512) 838-2702
>IBM, AIX/6000              | Fax:  (512) 838-3509
>11400 Burnet Road ZIP 9551 | Ext:  8-2702   Tie-Line:  678
>Austin, TX 78758-3493      | inet: jhwilson@austin.ibm.com
>
>

---

• Prev by Date: Last Call for IPSEC
• Next by Date: Re: a simple question, I hope. Why do we need tunnel mode?
• Prev by thread: RE: ESP Pad byte changes
• Next by thread: Re: ESP Pad byte changes
• Index(es):
  • Main
  • Thread