Hi Christian, having think a bit more about reassembling on a receiving side, I think that there may be some issues. You rely on ESP SN to properly reassemble the IP packets, but there is at least one case when it doesn't work - when IPsec protects multicast traffic and there are several senders in SA. In this case SN will repeat, so your reassembling mechanism won't work (well, there is no any replay protection in this case too).
And I really want to make reassembling feature optional and negotiable. Regards, Valery. > Hi ipsecme folks, > > Here's some new work on improving IP traffic flow security. I've requested a > presentation slot from the chairs for the upcoming ipsecme WG meeting @ > IETF 104, and will hopefully be able to present this work at that time as well. > > Thanks, > Chris. > > internet-dra...@ietf.org writes: > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > > > > > > Title : IP Traffic Flow Security > > Author : Christian Hopps > > Filename : draft-hopps-ipsecme-iptfs-00.txt > > Pages : 22 > > Date : 2019-03-11 > > > > Abstract: > > This document describes a mechanism to enhance IPsec traffic flow > > security by adding traffic flow confidentiality to encrypted IP > > encapsulated traffic. Traffic flow confidentiality is provided by > > obscuring the size and frequency of IP traffic using a fixed-sized, > > constant-send-rate IPsec tunnel. The solution allows for congestion > > control as well. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-hopps-ipsecme-iptfs/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-hopps-ipsecme-iptfs-00 > > https://datatracker.ietf.org/doc/html/draft-hopps-ipsecme-iptfs-00 > > > > > > Please note that it may take a couple of minutes from the time of > > submission until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > _______________________________________________ > > I-D-Announce mailing list > > i-d-annou...@ietf.org > > https://www.ietf.org/mailman/listinfo/i-d-announce > > Internet-Draft directories: http://www.ietf.org/shadow.html or > > ftp://ftp.ietf.org/ietf/1shadow-sites.txt _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
