Hi, Here are the drafts we wrote on Diet-ESP which designs ESP for constrain environment.
[1] draft-mglt-ipsecme-diet-esp-requirements-00.txt <http://datatracker.ietf.org/doc/draft-mglt-ipsecme-diet-esp-requirements/> provides the requirements we considered for the design of Diet-ESP [2] draft-mglt-ipsecme-diet-esp-01.txt <http://datatracker.ietf.org/doc/draft-mglt-ipsecme-diet-esp/> describes Diet-ESP. According to feed backs we received during the last presentation. Diet-ESP does not modify ESP. Instead, we consider compression / decompression of the payload sent on the wire. [3] draft-mglt-ipsecme-diet-esp-iv-generation-00.txt <http://datatracker.ietf.org/doc/draft-mglt-ipsecme-diet-esp-iv-generation/> describes a way to compress th IV field in ESP encrypted payloads. [4] draft-mglt-ipsecme-diet-esp-payload-compression-00.txt <http://datatracker.ietf.org/doc/draft-mglt-ipsecme-diet-esp-payload-compression/> describes how IPsec parameters negotiated with IKEv2 can be used to compress the clear text payload. More specifically, it is expected to compress up to the transport layer of the encrypted packet. Feel free to make comments! We have specific question regardin the IV compression. The general idea is that a speudo random function is used on bth side to generate the IV. This makes possible to send only some LSB. - 1) The pseudo random function uses as input the encryption key an dthe authentication key. I do not see major security flaws, but it may be better if a dedicated K could be used. Any ideas? - 2) By default we use PRF_AES128_XCBC. Another way would consist in chosing the PRF based on the ICV function. When NULL authentication is used the IV would not be compressed. Any opinion on that too? [1] http://datatracker.ietf.org/doc/draft-mglt-ipsecme-diet-esp-requirements/ [2] http://datatracker.ietf.org/doc/draft-mglt-ipsecme-diet-esp/ [3] http://datatracker.ietf.org/doc/draft-mglt-ipsecme-diet-esp-iv-generation/ [4] http://datatracker.ietf.org/doc/draft-mglt-ipsecme-diet-esp-payload-compression/ -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
