On 10/19/2011 7:50 AM, Bhatia, Manav (Manav) wrote: > Hi, > > I had spoken to one of the initial authors of this IPsec draft and I was told that setting up an Ipsec tunnel exclusively for shipping 1588 may not be possible in the femto architecture. They are thus trying to use WESP (that I have co-authored) to identify 1588 packets within an IPSec stream. > > I have tried to describe the problem that this draft is attempting > to address here: > > http://www.ietf.org/mail-archive/web/tictoc/current/msg00755.html > > As an author of WESP I can say that the way this draft uses WESP to protect 1588 is not very appropriate. The draft tries to add some additional identifiers in each protocol packet to uniquely identify 1588 packets. This in the security land will not be accepted as anybody snooping on the wire will be easily able to disambiguate 1588 packets from other packets in the stream. If the authors want to use WESP then they must negotiate this unique ID (or a set of IDs) in IKE and pad the packets randomly so that the attackers cant identify the 1588 packets in the Ipsec stream.
In that case the receiving end will also be unable to identify those packets which defeats the purpose of the draft. Danny _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
