[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: ESP Pad byte changes
I was just re-reading this thread and I was concerned about the original question
below. The implication below is that there may be an interoperability issue.
This is certainly not the case if an implementation is properly SENDING the
correct specified Pad pattern. (The Pad insertion technique is a MUST in the
ESP document - unless otherwise specified in the algorithm RFC.)
Whether or not a receiver chooses to inspect the Pad should have no bearing
on interoperability.
Bob Doud
IRE Secure Solutions, Inc.
100 Conifer Hill Drive, Suite 513
Danvers, MA. 01923
Voice: 978-739-4714
FAX: 978-739-5698
mailto:bdoud@ire-ma.com
http://www.ire-ma.com/
-----Original Message-----
From: Jackie Wilson [SMTP:jhwilson@austin.ibm.com]
Sent: Thursday, April 09, 1998 1:22 AM
To: ipsec@tis.com
Subject: ESP Pad byte changes
I was wondering how many implementations are numbering the pad bytes and
checking the values as indicated in the latest ESP draft. This seems to be a
problem that if you check the values, you may not be able to interoperate with
many ipsec implementations. I realize this is a 'should' issue, but this
is a low-level detail I don't want to surface to the user to turn on or
off. In addition, it is not an attribute that can be negotiated with
ISAKMP/Oakley. Is checking the pad numbering strategic, do most implementers
plan on doing it? Are most people making this a configurable option? If it's
not being done now, are people planning on doing it soon (ie 1998)? If it
is not important from a security standpoint to have it, then why is it in
the draft?
For all the noise made about freezing the drafts, I question the decision
to add this in the last round of changes to ESP.
Just wondering what others thought.
Jackie
--
Jacqueline Wilson | Phn: (512) 838-2702
IBM, AIX/6000 | Fax: (512) 838-3509
11400 Burnet Road ZIP 9551 | Ext: 8-2702 Tie-Line: 678
Austin, TX 78758-3493 | inet: jhwilson@austin.ibm.com