Re: Thomas Narten's DISCUSS vote

[Steve Bellovin <smb@research.att.com>]

	 The text is valid; ESP includes integrity protection, although
	 ESP doesn't cover the IP header.  In the new IPSEC scheme, it
	 is extremely unlikely that someone will use both ESP and AH.
	 ESP-NULL provides no data confidentiality, but it does provide
	 integrity over the packet data (but not of the IP headers),
	 thus allowing NAT boxes to muck with the IP headers.

	 Whether or not this is a horrible abstraction violation is
	 besides the point; if the goal is to allow NAT boxes to work,
	 while still providing data integrity services for the packet
	 contents, ESP NULL is one way of accomplishing that goal.

The objection is valid -- because of the transport checksum, which
is protected by ESP-NULL's integrity algorithm, the IP addresses
can't be tinkered with in a useful fashion.  (Well, I suppose that
a NAT box could change the source port number to offset the changes
to the addresses -- but I don't really regard that as useful...)

ESP-NULL has a lot of advantages -- but enabling NAT isn't one of them.
(Well, I suppose that one could argue that defeating NAT is itself
a nice feature, but that's out of bounds for this WG...)

---

• Prev by Date: Re: Thomas Narten's DISCUSS vote
• Next by Date: Re: Thomas Narten's DISCUSS vote
• Prev by thread: Re: Thomas Narten's DISCUSS vote
• Next by thread: Re: Thomas Narten's DISCUSS vote
• Index(es):
  • Main
  • Thread