Hello all! I would like to thank everyone for the much enlightening discussion.
>From what I've gathered from the discussion and the documents that have been referred is that ESP provides the same level of security in the IPv6 unicast transport mode case, with one exception: ESP doesn't protect the immutable parts of the IPv6 header nor those of any extension header. Both source as well as IP destination field can be verified by comparing them to the information found in the associated SA's traffic selector, but extension headers can be added, removed and altered at will. It's clear that this security hole can be used in malicious ways, the only question is how much trouble an attacker could cause. Is there anyone who could come up with an example of a nasty attack? As for the (apparently widely held) belief that transport mode is redundant I would like to voice my opinion in defense of it: Tunnel mode incurs an overhead due to the extra IP header. In the case of IPv6 that overhead will be over 40 bytes and will hardware resources as well as bandwidth. Ferguson and Schneier proposes a compression scheme (section "Protocols") for reducing this overhead, but that suggestion is tantamount to proposing a new mode and would take much time and work to introduce in the current implementations. Regards, Vilhelm Jutvik _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
